534500x800000000000000029741395Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:04.240{8B6011A9-7C18-6168-0578-00000000F101}7040C:\Windows\System32\setspn.exe 734700x800000000000000029741384Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:04.209{8B6011A9-7C18-6168-0578-00000000F101}7040C:\Windows\System32\setspn.exeC:\Windows\System32\setspn.exe10.0.14393.0 (rs1_release.160715-1616)Query or reset the computer's SPN attributeMicrosoft® Windows® Operating SystemMicrosoft Corporationsetspn.exeMD5=5C184D581524245DAD7A0A02B51FD2C2,SHA256=909C2DDF06CFEB1F79004DBB5E9B9D36B693CFDFF3459E0A6A51616B2AD6D2D1trueMicrosoft WindowsValid 734700x800000000000000029741369Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:04.220{8B6011A9-7C18-6168-0578-00000000F101}7040C:\Windows\System32\setspn.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 734700x800000000000000029741368Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:04.218{8B6011A9-7C18-6168-0578-00000000F101}7040C:\Windows\System32\setspn.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000029741367Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:04.217{8B6011A9-7C18-6168-0578-00000000F101}7040C:\Windows\System32\setspn.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000029741366Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:04.217{8B6011A9-7C18-6168-0578-00000000F101}7040C:\Windows\System32\setspn.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000029741365Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:04.217{8B6011A9-7C18-6168-0578-00000000F101}7040C:\Windows\System32\setspn.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000029741364Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:04.217{8B6011A9-7C18-6168-0578-00000000F101}7040C:\Windows\System32\setspn.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000029741363Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:04.217{8B6011A9-7C18-6168-0578-00000000F101}7040C:\Windows\System32\setspn.exeC:\Windows\System32\ntdsapi.dll10.0.14393.0 (rs1_release.160715-1616)Active Directory Domain Services APIMicrosoft® Windows® Operating SystemMicrosoft Corporationntdsapi.dllMD5=01AD803D409DC3C6582A9C519EB4B014,SHA256=C5A0873EC1223A67CE5980BB62F176FDF2E61BB54081CE004F479629413F27AAtrueMicrosoft WindowsValid 734700x800000000000000029741362Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:04.215{8B6011A9-7C18-6168-0578-00000000F101}7040C:\Windows\System32\setspn.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000029741361Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:04.215{8B6011A9-7C18-6168-0578-00000000F101}7040C:\Windows\System32\setspn.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000029741360Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:04.215{8B6011A9-7C18-6168-0578-00000000F101}7040C:\Windows\System32\setspn.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000029741359Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:04.214{8B6011A9-7C18-6168-0578-00000000F101}7040C:\Windows\System32\setspn.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000029741358Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:04.214{8B6011A9-7C18-6168-0578-00000000F101}7040C:\Windows\System32\setspn.exeC:\Windows\System32\logoncli.dll10.0.14393.3808 (rs1_release.200707-2105)Net Logon Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationLOGONCLI.DLLMD5=B5C16F0A457DB3C7695AAC9EE7E3EE1E,SHA256=88764349C57E619C6D1253BB2F4AFB27DBD141E9EB9C12D445C20F7384A4F437trueMicrosoft WindowsValid 734700x800000000000000029741356Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:04.214{8B6011A9-7C18-6168-0578-00000000F101}7040C:\Windows\System32\setspn.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000029741355Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:04.214{8B6011A9-7C18-6168-0578-00000000F101}7040C:\Windows\System32\setspn.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CAtrueMicrosoft WindowsValid 734700x800000000000000029741354Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:04.213{8B6011A9-7C18-6168-0578-00000000F101}7040C:\Windows\System32\setspn.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000029741353Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:04.212{8B6011A9-7C18-6168-0578-00000000F101}7040C:\Windows\System32\setspn.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x800000000000000029741352Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:04.212{8B6011A9-7C18-6168-0578-00000000F101}7040C:\Windows\System32\setspn.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 10341000x800000000000000029741351Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:04.211{8B6011A9-ACE9-6164-3205-00000000F101}44845180C:\Windows\system32\conhost.exe{8B6011A9-7C18-6168-0578-00000000F101}7040C:\Windows\system32\setspn.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000029741350Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:04.210{8B6011A9-7C18-6168-0578-00000000F101}7040C:\Windows\System32\setspn.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000029741349Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:04.210{8B6011A9-7C18-6168-0578-00000000F101}7040C:\Windows\System32\setspn.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000029741346Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:04.209{8B6011A9-7C18-6168-0578-00000000F101}7040C:\Windows\System32\setspn.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 10341000x800000000000000029741345Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:04.207{8B6011A9-888A-6164-7000-00000000F101}34483444C:\Windows\system32\csrss.exe{8B6011A9-7C18-6168-0578-00000000F101}7040C:\Windows\system32\setspn.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000029741344Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:04.207{8B6011A9-ACE9-6164-3105-00000000F101}44165780C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{8B6011A9-7C18-6168-0578-00000000F101}7040C:\Windows\system32\setspn.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4a60023(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ee347c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ee30b7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+49ab3e5(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ea0029(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3f03a9b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ee5aaa(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ee5aaa(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ee593b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ed665b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ee3b9d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ee370f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ee347c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ee30b7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+49ab3e5(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ec8362(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ec78d4(wow64) 154100x800000000000000029741343Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:04.205{8B6011A9-7C18-6168-0578-00000000F101}7040C:\Windows\System32\setspn.exe10.0.14393.0 (rs1_release.160715-1616)Query or reset the computer's SPN attributeMicrosoft® Windows® Operating SystemMicrosoft Corporationsetspn.exe"C:\Windows\system32\setspn.exe"C:\Users\Administrator\ATTACKRANGE\Administrator{8B6011A9-8897-6164-CBF3-050000000000}0x5f3cb2HighMD5=5C184D581524245DAD7A0A02B51FD2C2,SHA256=909C2DDF06CFEB1F79004DBB5E9B9D36B693CFDFF3459E0A6A51616B2AD6D2D1{8B6011A9-ACE9-6164-3105-00000000F101}4416C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 534500x800000000000000029741694Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:16.210{8B6011A9-7C24-6168-0A78-00000000F101}2696C:\Windows\System32\setspn.exe 734700x800000000000000029741693Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:16.192{8B6011A9-7C24-6168-0A78-00000000F101}2696C:\Windows\System32\setspn.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 734700x800000000000000029741692Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:16.181{8B6011A9-7C24-6168-0A78-00000000F101}2696C:\Windows\System32\setspn.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000029741691Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:16.181{8B6011A9-7C24-6168-0A78-00000000F101}2696C:\Windows\System32\setspn.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000029741690Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:16.181{8B6011A9-7C24-6168-0A78-00000000F101}2696C:\Windows\System32\setspn.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000029741689Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:16.179{8B6011A9-7C24-6168-0A78-00000000F101}2696C:\Windows\System32\setspn.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000029741688Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:16.179{8B6011A9-7C24-6168-0A78-00000000F101}2696C:\Windows\System32\setspn.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000029741687Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:16.179{8B6011A9-7C24-6168-0A78-00000000F101}2696C:\Windows\System32\setspn.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000029741686Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:16.178{8B6011A9-7C24-6168-0A78-00000000F101}2696C:\Windows\System32\setspn.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000029741685Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:16.178{8B6011A9-7C24-6168-0A78-00000000F101}2696C:\Windows\System32\setspn.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000029741684Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:16.178{8B6011A9-7C24-6168-0A78-00000000F101}2696C:\Windows\System32\setspn.exeC:\Windows\System32\ntdsapi.dll10.0.14393.0 (rs1_release.160715-1616)Active Directory Domain Services APIMicrosoft® Windows® Operating SystemMicrosoft Corporationntdsapi.dllMD5=01AD803D409DC3C6582A9C519EB4B014,SHA256=C5A0873EC1223A67CE5980BB62F176FDF2E61BB54081CE004F479629413F27AAtrueMicrosoft WindowsValid 734700x800000000000000029741683Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:16.177{8B6011A9-7C24-6168-0A78-00000000F101}2696C:\Windows\System32\setspn.exeC:\Windows\System32\logoncli.dll10.0.14393.3808 (rs1_release.200707-2105)Net Logon Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationLOGONCLI.DLLMD5=B5C16F0A457DB3C7695AAC9EE7E3EE1E,SHA256=88764349C57E619C6D1253BB2F4AFB27DBD141E9EB9C12D445C20F7384A4F437trueMicrosoft WindowsValid 734700x800000000000000029741682Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:16.177{8B6011A9-7C24-6168-0A78-00000000F101}2696C:\Windows\System32\setspn.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000029741681Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:16.177{8B6011A9-7C24-6168-0A78-00000000F101}2696C:\Windows\System32\setspn.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000029741680Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:16.176{8B6011A9-7C24-6168-0A78-00000000F101}2696C:\Windows\System32\setspn.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CAtrueMicrosoft WindowsValid 734700x800000000000000029741679Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:16.176{8B6011A9-7C24-6168-0A78-00000000F101}2696C:\Windows\System32\setspn.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000029741678Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:16.176{8B6011A9-7C24-6168-0A78-00000000F101}2696C:\Windows\System32\setspn.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x800000000000000029741677Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:16.176{8B6011A9-7C24-6168-0A78-00000000F101}2696C:\Windows\System32\setspn.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 10341000x800000000000000029741676Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:16.174{8B6011A9-ACE9-6164-3205-00000000F101}44845180C:\Windows\system32\conhost.exe{8B6011A9-7C24-6168-0A78-00000000F101}2696C:\Windows\system32\setspn.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000029741675Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:16.174{8B6011A9-7C24-6168-0A78-00000000F101}2696C:\Windows\System32\setspn.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000029741674Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:16.173{8B6011A9-7C24-6168-0A78-00000000F101}2696C:\Windows\System32\setspn.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000029741673Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:16.172{8B6011A9-7C24-6168-0A78-00000000F101}2696C:\Windows\System32\setspn.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000029741672Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:16.172{8B6011A9-7C24-6168-0A78-00000000F101}2696C:\Windows\System32\setspn.exeC:\Windows\System32\setspn.exe10.0.14393.0 (rs1_release.160715-1616)Query or reset the computer's SPN attributeMicrosoft® Windows® Operating SystemMicrosoft Corporationsetspn.exeMD5=5C184D581524245DAD7A0A02B51FD2C2,SHA256=909C2DDF06CFEB1F79004DBB5E9B9D36B693CFDFF3459E0A6A51616B2AD6D2D1trueMicrosoft WindowsValid 10341000x800000000000000029741671Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:16.171{8B6011A9-888A-6164-7000-00000000F101}34483876C:\Windows\system32\csrss.exe{8B6011A9-7C24-6168-0A78-00000000F101}2696C:\Windows\system32\setspn.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000029741670Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:16.171{8B6011A9-ACE9-6164-3105-00000000F101}44165780C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{8B6011A9-7C24-6168-0A78-00000000F101}2696C:\Windows\system32\setspn.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4a60023(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ee347c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ee30b7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+49ab3e5(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ea0029(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3f03a9b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ee5aaa(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ee5aaa(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ee593b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ed665b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ee3b9d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ee370f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ee347c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ee30b7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+49ab3e5(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ec8362(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ec78d4(wow64) 154100x800000000000000029741669Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:16.167{8B6011A9-7C24-6168-0A78-00000000F101}2696C:\Windows\System32\setspn.exe10.0.14393.0 (rs1_release.160715-1616)Query or reset the computer's SPN attributeMicrosoft® Windows® Operating SystemMicrosoft Corporationsetspn.exe"C:\Windows\system32\setspn.exe" -qC:\Users\Administrator\ATTACKRANGE\Administrator{8B6011A9-8897-6164-CBF3-050000000000}0x5f3cb2HighMD5=5C184D581524245DAD7A0A02B51FD2C2,SHA256=909C2DDF06CFEB1F79004DBB5E9B9D36B693CFDFF3459E0A6A51616B2AD6D2D1{8B6011A9-ACE9-6164-3105-00000000F101}4416C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 534500x800000000000000029741729Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:18.927{8B6011A9-7C26-6168-0B78-00000000F101}6544C:\Windows\System32\setspn.exe 734700x800000000000000029741728Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:18.910{8B6011A9-7C26-6168-0B78-00000000F101}6544C:\Windows\System32\setspn.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 734700x800000000000000029741727Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:18.908{8B6011A9-7C26-6168-0B78-00000000F101}6544C:\Windows\System32\setspn.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000029741726Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:18.908{8B6011A9-7C26-6168-0B78-00000000F101}6544C:\Windows\System32\setspn.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000029741725Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:18.908{8B6011A9-7C26-6168-0B78-00000000F101}6544C:\Windows\System32\setspn.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000029741724Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:18.907{8B6011A9-7C26-6168-0B78-00000000F101}6544C:\Windows\System32\setspn.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000029741723Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:18.907{8B6011A9-7C26-6168-0B78-00000000F101}6544C:\Windows\System32\setspn.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000029741722Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:18.907{8B6011A9-7C26-6168-0B78-00000000F101}6544C:\Windows\System32\setspn.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000029741721Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:18.906{8B6011A9-7C26-6168-0B78-00000000F101}6544C:\Windows\System32\setspn.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000029741720Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:18.905{8B6011A9-7C26-6168-0B78-00000000F101}6544C:\Windows\System32\setspn.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000029741719Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:18.905{8B6011A9-7C26-6168-0B78-00000000F101}6544C:\Windows\System32\setspn.exeC:\Windows\System32\ntdsapi.dll10.0.14393.0 (rs1_release.160715-1616)Active Directory Domain Services APIMicrosoft® Windows® Operating SystemMicrosoft Corporationntdsapi.dllMD5=01AD803D409DC3C6582A9C519EB4B014,SHA256=C5A0873EC1223A67CE5980BB62F176FDF2E61BB54081CE004F479629413F27AAtrueMicrosoft WindowsValid 734700x800000000000000029741718Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:18.905{8B6011A9-7C26-6168-0B78-00000000F101}6544C:\Windows\System32\setspn.exeC:\Windows\System32\logoncli.dll10.0.14393.3808 (rs1_release.200707-2105)Net Logon Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationLOGONCLI.DLLMD5=B5C16F0A457DB3C7695AAC9EE7E3EE1E,SHA256=88764349C57E619C6D1253BB2F4AFB27DBD141E9EB9C12D445C20F7384A4F437trueMicrosoft WindowsValid 734700x800000000000000029741717Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:18.905{8B6011A9-7C26-6168-0B78-00000000F101}6544C:\Windows\System32\setspn.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000029741716Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:18.905{8B6011A9-7C26-6168-0B78-00000000F101}6544C:\Windows\System32\setspn.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000029741715Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:18.902{8B6011A9-7C26-6168-0B78-00000000F101}6544C:\Windows\System32\setspn.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CAtrueMicrosoft WindowsValid 734700x800000000000000029741714Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:18.901{8B6011A9-7C26-6168-0B78-00000000F101}6544C:\Windows\System32\setspn.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000029741713Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:18.901{8B6011A9-7C26-6168-0B78-00000000F101}6544C:\Windows\System32\setspn.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x800000000000000029741712Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:18.901{8B6011A9-7C26-6168-0B78-00000000F101}6544C:\Windows\System32\setspn.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 10341000x800000000000000029741711Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:18.898{8B6011A9-ACE9-6164-3205-00000000F101}44845180C:\Windows\system32\conhost.exe{8B6011A9-7C26-6168-0B78-00000000F101}6544C:\Windows\system32\setspn.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000029741710Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:18.898{8B6011A9-7C26-6168-0B78-00000000F101}6544C:\Windows\System32\setspn.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000029741709Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:18.897{8B6011A9-7C26-6168-0B78-00000000F101}6544C:\Windows\System32\setspn.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000029741708Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:18.897{8B6011A9-7C26-6168-0B78-00000000F101}6544C:\Windows\System32\setspn.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000029741707Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:18.896{8B6011A9-7C26-6168-0B78-00000000F101}6544C:\Windows\System32\setspn.exeC:\Windows\System32\setspn.exe10.0.14393.0 (rs1_release.160715-1616)Query or reset the computer's SPN attributeMicrosoft® Windows® Operating SystemMicrosoft Corporationsetspn.exeMD5=5C184D581524245DAD7A0A02B51FD2C2,SHA256=909C2DDF06CFEB1F79004DBB5E9B9D36B693CFDFF3459E0A6A51616B2AD6D2D1trueMicrosoft WindowsValid 10341000x800000000000000029741706Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:18.895{8B6011A9-888A-6164-7000-00000000F101}34483736C:\Windows\system32\csrss.exe{8B6011A9-7C26-6168-0B78-00000000F101}6544C:\Windows\system32\setspn.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000029741705Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:18.895{8B6011A9-ACE9-6164-3105-00000000F101}44165780C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{8B6011A9-7C26-6168-0B78-00000000F101}6544C:\Windows\system32\setspn.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4a60023(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ee347c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ee30b7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+49ab3e5(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ea0029(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3f03a9b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ee5aaa(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ee5aaa(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ee593b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ed665b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ee3b9d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ee370f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ee347c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ee30b7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+49ab3e5(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ec8362(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ec78d4(wow64) 154100x800000000000000029741704Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:18.895{8B6011A9-7C26-6168-0B78-00000000F101}6544C:\Windows\System32\setspn.exe10.0.14393.0 (rs1_release.160715-1616)Query or reset the computer's SPN attributeMicrosoft® Windows® Operating SystemMicrosoft Corporationsetspn.exe"C:\Windows\system32\setspn.exe" -QC:\Users\Administrator\ATTACKRANGE\Administrator{8B6011A9-8897-6164-CBF3-050000000000}0x5f3cb2HighMD5=5C184D581524245DAD7A0A02B51FD2C2,SHA256=909C2DDF06CFEB1F79004DBB5E9B9D36B693CFDFF3459E0A6A51616B2AD6D2D1{8B6011A9-ACE9-6164-3105-00000000F101}4416C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 734700x800000000000000029741803Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:29.369{8B6011A9-7C31-6168-0C78-00000000F101}6168C:\Windows\System32\setspn.exeC:\Windows\System32\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=B52ACA309FD6F72105951FFBA022327B,SHA256=02AB6CCE4BF0D3F075D5E982F5A4CBDB514CE7C245EA474D7846A86CD3F13202trueMicrosoft WindowsValid 10341000x800000000000000029741798Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:29.370{8B6011A9-886B-6164-0B00-00000000F101}6486840C:\Windows\system32\lsass.exe{8B6011A9-7C31-6168-0C78-00000000F101}6168C:\Windows\system32\setspn.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029741797Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:29.370{8B6011A9-886B-6164-0B00-00000000F101}6486840C:\Windows\system32\lsass.exe{8B6011A9-7C31-6168-0C78-00000000F101}6168C:\Windows\system32\setspn.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000029741795Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:29.369{8B6011A9-7C31-6168-0C78-00000000F101}6168C:\Windows\System32\setspn.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x800000000000000029741794Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:29.365{8B6011A9-7C31-6168-0C78-00000000F101}6168C:\Windows\System32\setspn.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 734700x800000000000000029741793Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:29.361{8B6011A9-7C31-6168-0C78-00000000F101}6168C:\Windows\System32\setspn.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000029741792Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:29.360{8B6011A9-7C31-6168-0C78-00000000F101}6168C:\Windows\System32\setspn.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000029741791Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:29.360{8B6011A9-7C31-6168-0C78-00000000F101}6168C:\Windows\System32\setspn.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000029741790Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:29.359{8B6011A9-7C31-6168-0C78-00000000F101}6168C:\Windows\System32\setspn.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000029741789Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:29.359{8B6011A9-7C31-6168-0C78-00000000F101}6168C:\Windows\System32\setspn.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000029741788Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:29.359{8B6011A9-7C31-6168-0C78-00000000F101}6168C:\Windows\System32\setspn.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000029741787Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:29.359{8B6011A9-7C31-6168-0C78-00000000F101}6168C:\Windows\System32\setspn.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000029741786Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:29.359{8B6011A9-7C31-6168-0C78-00000000F101}6168C:\Windows\System32\setspn.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000029741785Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:29.358{8B6011A9-7C31-6168-0C78-00000000F101}6168C:\Windows\System32\setspn.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000029741784Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:29.358{8B6011A9-7C31-6168-0C78-00000000F101}6168C:\Windows\System32\setspn.exeC:\Windows\System32\logoncli.dll10.0.14393.3808 (rs1_release.200707-2105)Net Logon Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationLOGONCLI.DLLMD5=B5C16F0A457DB3C7695AAC9EE7E3EE1E,SHA256=88764349C57E619C6D1253BB2F4AFB27DBD141E9EB9C12D445C20F7384A4F437trueMicrosoft WindowsValid 734700x800000000000000029741783Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:29.358{8B6011A9-7C31-6168-0C78-00000000F101}6168C:\Windows\System32\setspn.exeC:\Windows\System32\ntdsapi.dll10.0.14393.0 (rs1_release.160715-1616)Active Directory Domain Services APIMicrosoft® Windows® Operating SystemMicrosoft Corporationntdsapi.dllMD5=01AD803D409DC3C6582A9C519EB4B014,SHA256=C5A0873EC1223A67CE5980BB62F176FDF2E61BB54081CE004F479629413F27AAtrueMicrosoft WindowsValid 734700x800000000000000029741782Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:29.358{8B6011A9-7C31-6168-0C78-00000000F101}6168C:\Windows\System32\setspn.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000029741781Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:29.357{8B6011A9-7C31-6168-0C78-00000000F101}6168C:\Windows\System32\setspn.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CAtrueMicrosoft WindowsValid 734700x800000000000000029741780Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:29.356{8B6011A9-7C31-6168-0C78-00000000F101}6168C:\Windows\System32\setspn.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000029741779Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:29.356{8B6011A9-7C31-6168-0C78-00000000F101}6168C:\Windows\System32\setspn.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x800000000000000029741778Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:29.356{8B6011A9-7C31-6168-0C78-00000000F101}6168C:\Windows\System32\setspn.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 10341000x800000000000000029741777Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:29.354{8B6011A9-ACE9-6164-3205-00000000F101}44845180C:\Windows\system32\conhost.exe{8B6011A9-7C31-6168-0C78-00000000F101}6168C:\Windows\system32\setspn.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000029741776Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:29.354{8B6011A9-7C31-6168-0C78-00000000F101}6168C:\Windows\System32\setspn.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000029741775Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:29.353{8B6011A9-7C31-6168-0C78-00000000F101}6168C:\Windows\System32\setspn.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000029741774Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:29.353{8B6011A9-7C31-6168-0C78-00000000F101}6168C:\Windows\System32\setspn.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000029741773Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:29.352{8B6011A9-7C31-6168-0C78-00000000F101}6168C:\Windows\System32\setspn.exeC:\Windows\System32\setspn.exe10.0.14393.0 (rs1_release.160715-1616)Query or reset the computer's SPN attributeMicrosoft® Windows® Operating SystemMicrosoft Corporationsetspn.exeMD5=5C184D581524245DAD7A0A02B51FD2C2,SHA256=909C2DDF06CFEB1F79004DBB5E9B9D36B693CFDFF3459E0A6A51616B2AD6D2D1trueMicrosoft WindowsValid 10341000x800000000000000029741772Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:29.351{8B6011A9-888A-6164-7000-00000000F101}34483444C:\Windows\system32\csrss.exe{8B6011A9-7C31-6168-0C78-00000000F101}6168C:\Windows\system32\setspn.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000029741771Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:29.351{8B6011A9-ACE9-6164-3105-00000000F101}44165780C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{8B6011A9-7C31-6168-0C78-00000000F101}6168C:\Windows\system32\setspn.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4a60023(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ee347c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ee30b7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+49ab3e5(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ea0029(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3f03a9b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ee5aaa(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ee5aaa(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ee593b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ed665b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ee3b9d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ee370f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ee347c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ee30b7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+49ab3e5(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ec8362(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ec78d4(wow64) 154100x800000000000000029741770Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:29.351{8B6011A9-7C31-6168-0C78-00000000F101}6168C:\Windows\System32\setspn.exe10.0.14393.0 (rs1_release.160715-1616)Query or reset the computer's SPN attributeMicrosoft® Windows® Operating SystemMicrosoft Corporationsetspn.exe"C:\Windows\system32\setspn.exe" -T bar -F -Q */daserverC:\Users\Administrator\ATTACKRANGE\Administrator{8B6011A9-8897-6164-CBF3-050000000000}0x5f3cb2HighMD5=5C184D581524245DAD7A0A02B51FD2C2,SHA256=909C2DDF06CFEB1F79004DBB5E9B9D36B693CFDFF3459E0A6A51616B2AD6D2D1{8B6011A9-ACE9-6164-3105-00000000F101}4416C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 734700x800000000000000029741861Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:31.723{8B6011A9-7C31-6168-0C78-00000000F101}6168C:\Windows\System32\setspn.exeC:\Windows\System32\rasadhlp.dll10.0.14393.0 (rs1_release.160715-1616)Remote Access AutoDial HelperMicrosoft® Windows® Operating SystemMicrosoft Corporationrasadhlp.dllMD5=FAE8D0480BDD905EEA453D3A57C8D5C6,SHA256=C1531223B8201B344A6A6474CB2D9B8A8C632250A3A6F472EC5E2D7D28ADD94CtrueMicrosoft WindowsValid 12241200x800000000000000029741851Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-14 18:51:31.723{8B6011A9-7C31-6168-0C78-00000000F101}6168C:\Windows\system32\setspn.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000029741850Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-14 18:51:31.723{8B6011A9-7C31-6168-0C78-00000000F101}6168C:\Windows\system32\setspn.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000029741849Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-14 18:51:31.723{8B6011A9-7C31-6168-0C78-00000000F101}6168C:\Windows\system32\setspn.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000029741848Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-14 18:51:31.722{8B6011A9-7C31-6168-0C78-00000000F101}6168C:\Windows\system32\setspn.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000029741847Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-14 18:51:31.722{8B6011A9-7C31-6168-0C78-00000000F101}6168C:\Windows\system32\setspn.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000029741846Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-14 18:51:31.722{8B6011A9-7C31-6168-0C78-00000000F101}6168C:\Windows\system32\setspn.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000029741845Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-14 18:51:31.656{8B6011A9-7C31-6168-0C78-00000000F101}6168C:\Windows\system32\setspn.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 734700x800000000000000029741844Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:31.656{8B6011A9-7C31-6168-0C78-00000000F101}6168C:\Windows\System32\setspn.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x800000000000000029741843Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:31.656{8B6011A9-7C31-6168-0C78-00000000F101}6168C:\Windows\System32\setspn.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 734700x800000000000000029741842Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:31.655{8B6011A9-7C31-6168-0C78-00000000F101}6168C:\Windows\System32\setspn.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 734700x800000000000000029741907Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:33.995{8B6011A9-7C31-6168-0C78-00000000F101}6168C:\Windows\System32\setspn.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AAtrueMicrosoft WindowsValid 734700x800000000000000029741906Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:33.995{8B6011A9-7C31-6168-0C78-00000000F101}6168C:\Windows\System32\setspn.exeC:\Windows\System32\NtlmShared.dll10.0.14393.3269 (rs1_release.190929-1234)NTLM Shared FunctionalityMicrosoft® Windows® Operating SystemMicrosoft CorporationNtlmShared.dllMD5=99F4D90B3ED53855C06F856006E770D1,SHA256=A95E5823B68182C4E32CB783AD23BC4FF60690001C70E6B5E920C12740C4C37CtrueMicrosoft WindowsValid 734700x800000000000000029741905Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:33.994{8B6011A9-7C31-6168-0C78-00000000F101}6168C:\Windows\System32\setspn.exeC:\Windows\System32\msv1_0.dll10.0.14393.3866 (rs1_release.200805-1327)Microsoft Authentication Package v1.0Microsoft® Windows® Operating SystemMicrosoft CorporationMSV1_0.DLLMD5=2A725546D9B1F9DB4974A2EA4225D0A8,SHA256=46AD1AC8C7DB7D21E8F41EFC734B855CEE566CB58F8FB825775490DC5DE89C94trueMicrosoft WindowsValid 734700x800000000000000029741904Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:33.992{8B6011A9-7C31-6168-0C78-00000000F101}6168C:\Windows\System32\setspn.exeC:\Windows\System32\dsparse.dll10.0.14393.0 (rs1_release.160715-1616)Active Directory Domain Services APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdsparse.dllMD5=E9B5EFC173FDD55C00B2F28B8BAC144B,SHA256=0CA602484CD0E2C67091FCD60091608BF746B1D05B353DB9805D1CAE0ED09D70trueMicrosoft WindowsValid 734700x800000000000000029741902Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:33.989{8B6011A9-7C31-6168-0C78-00000000F101}6168C:\Windows\System32\setspn.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 22542200x800000000000000029741897Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:34.730{8B6011A9-7C31-6168-0C78-00000000F101}6168_ldap._tcp.bar.9003-C:\Windows\System32\setspn.exe 22542200x800000000000000029741896Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:34.698{8B6011A9-7C31-6168-0C78-00000000F101}6168_ldap._tcp.Default-First-Site-Name._sites.bar.9003-C:\Windows\System32\setspn.exe 534500x800000000000000029741933Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:34.124{8B6011A9-7C31-6168-0C78-00000000F101}6168C:\Windows\System32\setspn.exe 734700x800000000000000029741924Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:33.988{8B6011A9-7C31-6168-0C78-00000000F101}6168C:\Windows\System32\setspn.exeC:\Windows\System32\FWPUCLNT.DLL10.0.14393.0 (rs1_release.160715-1616)FWP/IPsec User-Mode APIMicrosoft® Windows® Operating SystemMicrosoft Corporationfwpuclnt.dllMD5=A65FA613342B08E0F760D8B13B9C135A,SHA256=C64A1EC862188D2EE1202DB02BFBF4E2DD56780905E509012799EB57FC9A88EDtrueMicrosoft WindowsValid 10341000x800000000000000029741983Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:38.685{8B6011A9-886B-6164-0B00-00000000F101}6481984C:\Windows\system32\lsass.exe{8B6011A9-7C3A-6168-0D78-00000000F101}5756C:\Windows\system32\setspn.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029741982Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:38.685{8B6011A9-886B-6164-0B00-00000000F101}6481984C:\Windows\system32\lsass.exe{8B6011A9-7C3A-6168-0D78-00000000F101}5756C:\Windows\system32\setspn.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000029741981Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:38.684{8B6011A9-7C3A-6168-0D78-00000000F101}5756C:\Windows\System32\setspn.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x800000000000000029741980Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:38.683{8B6011A9-7C3A-6168-0D78-00000000F101}5756C:\Windows\System32\setspn.exeC:\Windows\System32\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=B52ACA309FD6F72105951FFBA022327B,SHA256=02AB6CCE4BF0D3F075D5E982F5A4CBDB514CE7C245EA474D7846A86CD3F13202trueMicrosoft WindowsValid 734700x800000000000000029741979Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:38.675{8B6011A9-7C3A-6168-0D78-00000000F101}5756C:\Windows\System32\setspn.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 734700x800000000000000029741978Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:38.673{8B6011A9-7C3A-6168-0D78-00000000F101}5756C:\Windows\System32\setspn.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000029741977Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:38.672{8B6011A9-7C3A-6168-0D78-00000000F101}5756C:\Windows\System32\setspn.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000029741976Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:38.672{8B6011A9-7C3A-6168-0D78-00000000F101}5756C:\Windows\System32\setspn.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000029741975Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:38.672{8B6011A9-7C3A-6168-0D78-00000000F101}5756C:\Windows\System32\setspn.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000029741974Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:38.671{8B6011A9-7C3A-6168-0D78-00000000F101}5756C:\Windows\System32\setspn.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000029741973Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:38.670{8B6011A9-7C3A-6168-0D78-00000000F101}5756C:\Windows\System32\setspn.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000029741972Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:38.670{8B6011A9-7C3A-6168-0D78-00000000F101}5756C:\Windows\System32\setspn.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000029741971Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:38.670{8B6011A9-7C3A-6168-0D78-00000000F101}5756C:\Windows\System32\setspn.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000029741970Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:38.669{8B6011A9-7C3A-6168-0D78-00000000F101}5756C:\Windows\System32\setspn.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000029741969Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:38.669{8B6011A9-7C3A-6168-0D78-00000000F101}5756C:\Windows\System32\setspn.exeC:\Windows\System32\logoncli.dll10.0.14393.3808 (rs1_release.200707-2105)Net Logon Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationLOGONCLI.DLLMD5=B5C16F0A457DB3C7695AAC9EE7E3EE1E,SHA256=88764349C57E619C6D1253BB2F4AFB27DBD141E9EB9C12D445C20F7384A4F437trueMicrosoft WindowsValid 734700x800000000000000029741968Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:38.669{8B6011A9-7C3A-6168-0D78-00000000F101}5756C:\Windows\System32\setspn.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000029741967Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:38.669{8B6011A9-7C3A-6168-0D78-00000000F101}5756C:\Windows\System32\setspn.exeC:\Windows\System32\ntdsapi.dll10.0.14393.0 (rs1_release.160715-1616)Active Directory Domain Services APIMicrosoft® Windows® Operating SystemMicrosoft Corporationntdsapi.dllMD5=01AD803D409DC3C6582A9C519EB4B014,SHA256=C5A0873EC1223A67CE5980BB62F176FDF2E61BB54081CE004F479629413F27AAtrueMicrosoft WindowsValid 734700x800000000000000029741966Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:38.669{8B6011A9-7C3A-6168-0D78-00000000F101}5756C:\Windows\System32\setspn.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CAtrueMicrosoft WindowsValid 734700x800000000000000029741965Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:38.668{8B6011A9-7C3A-6168-0D78-00000000F101}5756C:\Windows\System32\setspn.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000029741964Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:38.668{8B6011A9-7C3A-6168-0D78-00000000F101}5756C:\Windows\System32\setspn.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x800000000000000029741963Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:38.667{8B6011A9-7C3A-6168-0D78-00000000F101}5756C:\Windows\System32\setspn.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 10341000x800000000000000029741962Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:38.666{8B6011A9-ACE9-6164-3205-00000000F101}44845180C:\Windows\system32\conhost.exe{8B6011A9-7C3A-6168-0D78-00000000F101}5756C:\Windows\system32\setspn.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000029741961Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:38.665{8B6011A9-7C3A-6168-0D78-00000000F101}5756C:\Windows\System32\setspn.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000029741960Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:38.665{8B6011A9-7C3A-6168-0D78-00000000F101}5756C:\Windows\System32\setspn.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000029741959Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:38.664{8B6011A9-7C3A-6168-0D78-00000000F101}5756C:\Windows\System32\setspn.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000029741958Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:38.664{8B6011A9-7C3A-6168-0D78-00000000F101}5756C:\Windows\System32\setspn.exeC:\Windows\System32\setspn.exe10.0.14393.0 (rs1_release.160715-1616)Query or reset the computer's SPN attributeMicrosoft® Windows® Operating SystemMicrosoft Corporationsetspn.exeMD5=5C184D581524245DAD7A0A02B51FD2C2,SHA256=909C2DDF06CFEB1F79004DBB5E9B9D36B693CFDFF3459E0A6A51616B2AD6D2D1trueMicrosoft WindowsValid 10341000x800000000000000029741957Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:38.663{8B6011A9-888A-6164-7000-00000000F101}34483736C:\Windows\system32\csrss.exe{8B6011A9-7C3A-6168-0D78-00000000F101}5756C:\Windows\system32\setspn.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000029741956Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:38.663{8B6011A9-ACE9-6164-3105-00000000F101}44165780C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{8B6011A9-7C3A-6168-0D78-00000000F101}5756C:\Windows\system32\setspn.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4a60023(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ee347c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ee30b7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+49ab3e5(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ea0029(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3f03a9b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ee5aaa(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ee5aaa(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ee593b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ed665b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ee3b9d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ee370f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ee347c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ee30b7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+49ab3e5(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ec8362(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ec78d4(wow64) 154100x800000000000000029741955Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:38.663{8B6011A9-7C3A-6168-0D78-00000000F101}5756C:\Windows\System32\setspn.exe10.0.14393.0 (rs1_release.160715-1616)Query or reset the computer's SPN attributeMicrosoft® Windows® Operating SystemMicrosoft Corporationsetspn.exe"C:\Windows\system32\setspn.exe" -T bar -F -Q */localhostC:\Users\Administrator\ATTACKRANGE\Administrator{8B6011A9-8897-6164-CBF3-050000000000}0x5f3cb2HighMD5=5C184D581524245DAD7A0A02B51FD2C2,SHA256=909C2DDF06CFEB1F79004DBB5E9B9D36B693CFDFF3459E0A6A51616B2AD6D2D1{8B6011A9-ACE9-6164-3105-00000000F101}4416C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 12241200x800000000000000029742003Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-14 18:51:41.044{8B6011A9-7C3A-6168-0D78-00000000F101}5756C:\Windows\system32\setspn.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000029742002Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-14 18:51:41.044{8B6011A9-7C3A-6168-0D78-00000000F101}5756C:\Windows\system32\setspn.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000029742001Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-14 18:51:41.044{8B6011A9-7C3A-6168-0D78-00000000F101}5756C:\Windows\system32\setspn.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 734700x800000000000000029742000Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:41.044{8B6011A9-7C3A-6168-0D78-00000000F101}5756C:\Windows\System32\setspn.exeC:\Windows\System32\rasadhlp.dll10.0.14393.0 (rs1_release.160715-1616)Remote Access AutoDial HelperMicrosoft® Windows® Operating SystemMicrosoft Corporationrasadhlp.dllMD5=FAE8D0480BDD905EEA453D3A57C8D5C6,SHA256=C1531223B8201B344A6A6474CB2D9B8A8C632250A3A6F472EC5E2D7D28ADD94CtrueMicrosoft WindowsValid 12241200x800000000000000029741999Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-14 18:51:41.044{8B6011A9-7C3A-6168-0D78-00000000F101}5756C:\Windows\system32\setspn.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000029741998Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-14 18:51:41.044{8B6011A9-7C3A-6168-0D78-00000000F101}5756C:\Windows\system32\setspn.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000029741997Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-14 18:51:41.044{8B6011A9-7C3A-6168-0D78-00000000F101}5756C:\Windows\system32\setspn.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000029741996Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-14 18:51:41.043{8B6011A9-7C3A-6168-0D78-00000000F101}5756C:\Windows\system32\setspn.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 734700x800000000000000029741995Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:41.043{8B6011A9-7C3A-6168-0D78-00000000F101}5756C:\Windows\System32\setspn.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x800000000000000029741994Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:41.042{8B6011A9-7C3A-6168-0D78-00000000F101}5756C:\Windows\System32\setspn.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 734700x800000000000000029741993Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:41.042{8B6011A9-7C3A-6168-0D78-00000000F101}5756C:\Windows\System32\setspn.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 534500x800000000000000029742022Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:43.357{8B6011A9-7C3A-6168-0D78-00000000F101}5756C:\Windows\System32\setspn.exe 734700x800000000000000029742021Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:43.310{8B6011A9-7C3A-6168-0D78-00000000F101}5756C:\Windows\System32\setspn.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AAtrueMicrosoft WindowsValid 734700x800000000000000029742020Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:43.309{8B6011A9-7C3A-6168-0D78-00000000F101}5756C:\Windows\System32\setspn.exeC:\Windows\System32\NtlmShared.dll10.0.14393.3269 (rs1_release.190929-1234)NTLM Shared FunctionalityMicrosoft® Windows® Operating SystemMicrosoft CorporationNtlmShared.dllMD5=99F4D90B3ED53855C06F856006E770D1,SHA256=A95E5823B68182C4E32CB783AD23BC4FF60690001C70E6B5E920C12740C4C37CtrueMicrosoft WindowsValid 734700x800000000000000029742019Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:43.309{8B6011A9-7C3A-6168-0D78-00000000F101}5756C:\Windows\System32\setspn.exeC:\Windows\System32\msv1_0.dll10.0.14393.3866 (rs1_release.200805-1327)Microsoft Authentication Package v1.0Microsoft® Windows® Operating SystemMicrosoft CorporationMSV1_0.DLLMD5=2A725546D9B1F9DB4974A2EA4225D0A8,SHA256=46AD1AC8C7DB7D21E8F41EFC734B855CEE566CB58F8FB825775490DC5DE89C94trueMicrosoft WindowsValid 734700x800000000000000029742018Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:43.305{8B6011A9-7C3A-6168-0D78-00000000F101}5756C:\Windows\System32\setspn.exeC:\Windows\System32\dsparse.dll10.0.14393.0 (rs1_release.160715-1616)Active Directory Domain Services APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdsparse.dllMD5=E9B5EFC173FDD55C00B2F28B8BAC144B,SHA256=0CA602484CD0E2C67091FCD60091608BF746B1D05B353DB9805D1CAE0ED09D70trueMicrosoft WindowsValid 734700x800000000000000029742017Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:43.303{8B6011A9-7C3A-6168-0D78-00000000F101}5756C:\Windows\System32\setspn.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000029742016Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:43.302{8B6011A9-7C3A-6168-0D78-00000000F101}5756C:\Windows\System32\setspn.exeC:\Windows\System32\FWPUCLNT.DLL10.0.14393.0 (rs1_release.160715-1616)FWP/IPsec User-Mode APIMicrosoft® Windows® Operating SystemMicrosoft Corporationfwpuclnt.dllMD5=A65FA613342B08E0F760D8B13B9C135A,SHA256=C64A1EC862188D2EE1202DB02BFBF4E2DD56780905E509012799EB57FC9A88EDtrueMicrosoft WindowsValid 22542200x800000000000000029742014Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:44.051{8B6011A9-7C3A-6168-0D78-00000000F101}5756_ldap._tcp.bar.9003-C:\Windows\System32\setspn.exe 22542200x800000000000000029742013Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:44.051{8B6011A9-7C3A-6168-0D78-00000000F101}5756_ldap._tcp.Default-First-Site-Name._sites.bar.9003-C:\Windows\System32\setspn.exe 534500x800000000000000029742090Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:47.097{8B6011A9-7C43-6168-0E78-00000000F101}4804C:\Windows\System32\setspn.exe 734700x800000000000000029742088Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:47.089{8B6011A9-7C43-6168-0E78-00000000F101}4804C:\Windows\System32\setspn.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AAtrueMicrosoft WindowsValid 734700x800000000000000029742087Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:47.087{8B6011A9-7C43-6168-0E78-00000000F101}4804C:\Windows\System32\setspn.exeC:\Windows\System32\NtlmShared.dll10.0.14393.3269 (rs1_release.190929-1234)NTLM Shared FunctionalityMicrosoft® Windows® Operating SystemMicrosoft CorporationNtlmShared.dllMD5=99F4D90B3ED53855C06F856006E770D1,SHA256=A95E5823B68182C4E32CB783AD23BC4FF60690001C70E6B5E920C12740C4C37CtrueMicrosoft WindowsValid 734700x800000000000000029742086Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:47.087{8B6011A9-7C43-6168-0E78-00000000F101}4804C:\Windows\System32\setspn.exeC:\Windows\System32\msv1_0.dll10.0.14393.3866 (rs1_release.200805-1327)Microsoft Authentication Package v1.0Microsoft® Windows® Operating SystemMicrosoft CorporationMSV1_0.DLLMD5=2A725546D9B1F9DB4974A2EA4225D0A8,SHA256=46AD1AC8C7DB7D21E8F41EFC734B855CEE566CB58F8FB825775490DC5DE89C94trueMicrosoft WindowsValid 734700x800000000000000029742085Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:47.084{8B6011A9-7C43-6168-0E78-00000000F101}4804C:\Windows\System32\setspn.exeC:\Windows\System32\dsparse.dll10.0.14393.0 (rs1_release.160715-1616)Active Directory Domain Services APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdsparse.dllMD5=E9B5EFC173FDD55C00B2F28B8BAC144B,SHA256=0CA602484CD0E2C67091FCD60091608BF746B1D05B353DB9805D1CAE0ED09D70trueMicrosoft WindowsValid 734700x800000000000000029742084Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:47.081{8B6011A9-7C43-6168-0E78-00000000F101}4804C:\Windows\System32\setspn.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000029742083Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:47.081{8B6011A9-7C43-6168-0E78-00000000F101}4804C:\Windows\System32\setspn.exeC:\Windows\System32\FWPUCLNT.DLL10.0.14393.0 (rs1_release.160715-1616)FWP/IPsec User-Mode APIMicrosoft® Windows® Operating SystemMicrosoft Corporationfwpuclnt.dllMD5=A65FA613342B08E0F760D8B13B9C135A,SHA256=C64A1EC862188D2EE1202DB02BFBF4E2DD56780905E509012799EB57FC9A88EDtrueMicrosoft WindowsValid 12241200x800000000000000029742082Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-14 18:51:47.080{8B6011A9-7C43-6168-0E78-00000000F101}4804C:\Windows\system32\setspn.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000029742081Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-14 18:51:47.080{8B6011A9-7C43-6168-0E78-00000000F101}4804C:\Windows\system32\setspn.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000029742080Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-14 18:51:47.080{8B6011A9-7C43-6168-0E78-00000000F101}4804C:\Windows\system32\setspn.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 734700x800000000000000029742079Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:47.080{8B6011A9-7C43-6168-0E78-00000000F101}4804C:\Windows\System32\setspn.exeC:\Windows\System32\rasadhlp.dll10.0.14393.0 (rs1_release.160715-1616)Remote Access AutoDial HelperMicrosoft® Windows® Operating SystemMicrosoft Corporationrasadhlp.dllMD5=FAE8D0480BDD905EEA453D3A57C8D5C6,SHA256=C1531223B8201B344A6A6474CB2D9B8A8C632250A3A6F472EC5E2D7D28ADD94CtrueMicrosoft WindowsValid 12241200x800000000000000029742078Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-14 18:51:47.078{8B6011A9-7C43-6168-0E78-00000000F101}4804C:\Windows\system32\setspn.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000029742077Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-14 18:51:47.078{8B6011A9-7C43-6168-0E78-00000000F101}4804C:\Windows\system32\setspn.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000029742076Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-14 18:51:47.078{8B6011A9-7C43-6168-0E78-00000000F101}4804C:\Windows\system32\setspn.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 734700x800000000000000029742075Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:47.078{8B6011A9-7C43-6168-0E78-00000000F101}4804C:\Windows\System32\setspn.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x800000000000000029742074Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:47.078{8B6011A9-7C43-6168-0E78-00000000F101}4804C:\Windows\System32\setspn.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 734700x800000000000000029742073Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:47.076{8B6011A9-7C43-6168-0E78-00000000F101}4804C:\Windows\System32\setspn.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 10341000x800000000000000029742071Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:47.074{8B6011A9-886B-6164-0B00-00000000F101}6486840C:\Windows\system32\lsass.exe{8B6011A9-7C43-6168-0E78-00000000F101}4804C:\Windows\system32\setspn.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029742070Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:47.073{8B6011A9-886B-6164-0B00-00000000F101}6486840C:\Windows\system32\lsass.exe{8B6011A9-7C43-6168-0E78-00000000F101}4804C:\Windows\system32\setspn.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000029742069Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:47.072{8B6011A9-7C43-6168-0E78-00000000F101}4804C:\Windows\System32\setspn.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x800000000000000029742068Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:47.072{8B6011A9-7C43-6168-0E78-00000000F101}4804C:\Windows\System32\setspn.exeC:\Windows\System32\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=B52ACA309FD6F72105951FFBA022327B,SHA256=02AB6CCE4BF0D3F075D5E982F5A4CBDB514CE7C245EA474D7846A86CD3F13202trueMicrosoft WindowsValid 734700x800000000000000029742067Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:47.068{8B6011A9-7C43-6168-0E78-00000000F101}4804C:\Windows\System32\setspn.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 734700x800000000000000029742066Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:47.066{8B6011A9-7C43-6168-0E78-00000000F101}4804C:\Windows\System32\setspn.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000029742065Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:47.066{8B6011A9-7C43-6168-0E78-00000000F101}4804C:\Windows\System32\setspn.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000029742064Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:47.065{8B6011A9-7C43-6168-0E78-00000000F101}4804C:\Windows\System32\setspn.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000029742063Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:47.065{8B6011A9-7C43-6168-0E78-00000000F101}4804C:\Windows\System32\setspn.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000029742062Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:47.065{8B6011A9-7C43-6168-0E78-00000000F101}4804C:\Windows\System32\setspn.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000029742061Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:47.064{8B6011A9-7C43-6168-0E78-00000000F101}4804C:\Windows\System32\setspn.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000029742060Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:47.064{8B6011A9-7C43-6168-0E78-00000000F101}4804C:\Windows\System32\setspn.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000029742059Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:47.063{8B6011A9-7C43-6168-0E78-00000000F101}4804C:\Windows\System32\setspn.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000029742058Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:47.063{8B6011A9-7C43-6168-0E78-00000000F101}4804C:\Windows\System32\setspn.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000029742057Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:47.063{8B6011A9-7C43-6168-0E78-00000000F101}4804C:\Windows\System32\setspn.exeC:\Windows\System32\ntdsapi.dll10.0.14393.0 (rs1_release.160715-1616)Active Directory Domain Services APIMicrosoft® Windows® Operating SystemMicrosoft Corporationntdsapi.dllMD5=01AD803D409DC3C6582A9C519EB4B014,SHA256=C5A0873EC1223A67CE5980BB62F176FDF2E61BB54081CE004F479629413F27AAtrueMicrosoft WindowsValid 734700x800000000000000029742056Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:47.063{8B6011A9-7C43-6168-0E78-00000000F101}4804C:\Windows\System32\setspn.exeC:\Windows\System32\logoncli.dll10.0.14393.3808 (rs1_release.200707-2105)Net Logon Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationLOGONCLI.DLLMD5=B5C16F0A457DB3C7695AAC9EE7E3EE1E,SHA256=88764349C57E619C6D1253BB2F4AFB27DBD141E9EB9C12D445C20F7384A4F437trueMicrosoft WindowsValid 734700x800000000000000029742055Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:47.063{8B6011A9-7C43-6168-0E78-00000000F101}4804C:\Windows\System32\setspn.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000029742054Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:47.063{8B6011A9-7C43-6168-0E78-00000000F101}4804C:\Windows\System32\setspn.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CAtrueMicrosoft WindowsValid 734700x800000000000000029742053Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:47.062{8B6011A9-7C43-6168-0E78-00000000F101}4804C:\Windows\System32\setspn.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000029742052Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:47.062{8B6011A9-7C43-6168-0E78-00000000F101}4804C:\Windows\System32\setspn.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x800000000000000029742051Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:47.061{8B6011A9-7C43-6168-0E78-00000000F101}4804C:\Windows\System32\setspn.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 10341000x800000000000000029742050Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:47.060{8B6011A9-ACE9-6164-3205-00000000F101}44845180C:\Windows\system32\conhost.exe{8B6011A9-7C43-6168-0E78-00000000F101}4804C:\Windows\system32\setspn.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000029742049Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:47.060{8B6011A9-7C43-6168-0E78-00000000F101}4804C:\Windows\System32\setspn.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000029742048Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:47.059{8B6011A9-7C43-6168-0E78-00000000F101}4804C:\Windows\System32\setspn.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000029742047Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:47.058{8B6011A9-7C43-6168-0E78-00000000F101}4804C:\Windows\System32\setspn.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000029742046Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:47.058{8B6011A9-7C43-6168-0E78-00000000F101}4804C:\Windows\System32\setspn.exeC:\Windows\System32\setspn.exe10.0.14393.0 (rs1_release.160715-1616)Query or reset the computer's SPN attributeMicrosoft® Windows® Operating SystemMicrosoft Corporationsetspn.exeMD5=5C184D581524245DAD7A0A02B51FD2C2,SHA256=909C2DDF06CFEB1F79004DBB5E9B9D36B693CFDFF3459E0A6A51616B2AD6D2D1trueMicrosoft WindowsValid 10341000x800000000000000029742045Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:47.056{8B6011A9-888A-6164-7000-00000000F101}34483876C:\Windows\system32\csrss.exe{8B6011A9-7C43-6168-0E78-00000000F101}4804C:\Windows\system32\setspn.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000029742044Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:47.056{8B6011A9-ACE9-6164-3105-00000000F101}44165780C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{8B6011A9-7C43-6168-0E78-00000000F101}4804C:\Windows\system32\setspn.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4a60023(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ee347c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ee30b7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+49ab3e5(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ea0029(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3f03a9b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ee5aaa(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ee5aaa(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ee593b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ed665b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ee3b9d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ee370f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ee347c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ee30b7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+49ab3e5(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ec8362(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ec78d4(wow64) 154100x800000000000000029742043Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:51:47.056{8B6011A9-7C43-6168-0E78-00000000F101}4804C:\Windows\System32\setspn.exe10.0.14393.0 (rs1_release.160715-1616)Query or reset the computer's SPN attributeMicrosoft® Windows® Operating SystemMicrosoft Corporationsetspn.exe"C:\Windows\system32\setspn.exe" -xC:\Users\Administrator\ATTACKRANGE\Administrator{8B6011A9-8897-6164-CBF3-050000000000}0x5f3cb2HighMD5=5C184D581524245DAD7A0A02B51FD2C2,SHA256=909C2DDF06CFEB1F79004DBB5E9B9D36B693CFDFF3459E0A6A51616B2AD6D2D1{8B6011A9-ACE9-6164-3105-00000000F101}4416C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 534500x800000000000000029742714Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:52:23.250{8B6011A9-7C67-6168-1678-00000000F101}4708C:\Windows\System32\setspn.exe 734700x800000000000000029742713Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:52:23.241{8B6011A9-7C67-6168-1678-00000000F101}4708C:\Windows\System32\setspn.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 734700x800000000000000029742712Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:52:23.238{8B6011A9-7C67-6168-1678-00000000F101}4708C:\Windows\System32\setspn.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000029742711Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:52:23.238{8B6011A9-7C67-6168-1678-00000000F101}4708C:\Windows\System32\setspn.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000029742710Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:52:23.237{8B6011A9-7C67-6168-1678-00000000F101}4708C:\Windows\System32\setspn.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000029742709Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:52:23.237{8B6011A9-7C67-6168-1678-00000000F101}4708C:\Windows\System32\setspn.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000029742708Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:52:23.237{8B6011A9-7C67-6168-1678-00000000F101}4708C:\Windows\System32\setspn.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000029742707Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:52:23.236{8B6011A9-7C67-6168-1678-00000000F101}4708C:\Windows\System32\setspn.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000029742706Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:52:23.236{8B6011A9-7C67-6168-1678-00000000F101}4708C:\Windows\System32\setspn.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000029742705Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:52:23.236{8B6011A9-7C67-6168-1678-00000000F101}4708C:\Windows\System32\setspn.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000029742704Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:52:23.235{8B6011A9-7C67-6168-1678-00000000F101}4708C:\Windows\System32\setspn.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000029742703Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:52:23.235{8B6011A9-7C67-6168-1678-00000000F101}4708C:\Windows\System32\setspn.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000029742702Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:52:23.235{8B6011A9-7C67-6168-1678-00000000F101}4708C:\Windows\System32\setspn.exeC:\Windows\System32\ntdsapi.dll10.0.14393.0 (rs1_release.160715-1616)Active Directory Domain Services APIMicrosoft® Windows® Operating SystemMicrosoft Corporationntdsapi.dllMD5=01AD803D409DC3C6582A9C519EB4B014,SHA256=C5A0873EC1223A67CE5980BB62F176FDF2E61BB54081CE004F479629413F27AAtrueMicrosoft WindowsValid 734700x800000000000000029742701Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:52:23.235{8B6011A9-7C67-6168-1678-00000000F101}4708C:\Windows\System32\setspn.exeC:\Windows\System32\logoncli.dll10.0.14393.3808 (rs1_release.200707-2105)Net Logon Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationLOGONCLI.DLLMD5=B5C16F0A457DB3C7695AAC9EE7E3EE1E,SHA256=88764349C57E619C6D1253BB2F4AFB27DBD141E9EB9C12D445C20F7384A4F437trueMicrosoft WindowsValid 734700x800000000000000029742700Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:52:23.234{8B6011A9-7C67-6168-1678-00000000F101}4708C:\Windows\System32\setspn.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CAtrueMicrosoft WindowsValid 734700x800000000000000029742699Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:52:23.234{8B6011A9-7C67-6168-1678-00000000F101}4708C:\Windows\System32\setspn.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000029742698Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:52:23.234{8B6011A9-7C67-6168-1678-00000000F101}4708C:\Windows\System32\setspn.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x800000000000000029742697Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:52:23.224{8B6011A9-7C67-6168-1678-00000000F101}4708C:\Windows\System32\setspn.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 10341000x800000000000000029742696Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:52:23.223{8B6011A9-ACE9-6164-3205-00000000F101}44845180C:\Windows\system32\conhost.exe{8B6011A9-7C67-6168-1678-00000000F101}4708C:\Windows\system32\setspn.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000029742695Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:52:23.222{8B6011A9-7C67-6168-1678-00000000F101}4708C:\Windows\System32\setspn.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000029742694Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:52:23.222{8B6011A9-7C67-6168-1678-00000000F101}4708C:\Windows\System32\setspn.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000029742693Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:52:23.222{8B6011A9-7C67-6168-1678-00000000F101}4708C:\Windows\System32\setspn.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000029742692Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:52:23.221{8B6011A9-7C67-6168-1678-00000000F101}4708C:\Windows\System32\setspn.exeC:\Windows\System32\setspn.exe10.0.14393.0 (rs1_release.160715-1616)Query or reset the computer's SPN attributeMicrosoft® Windows® Operating SystemMicrosoft Corporationsetspn.exeMD5=5C184D581524245DAD7A0A02B51FD2C2,SHA256=909C2DDF06CFEB1F79004DBB5E9B9D36B693CFDFF3459E0A6A51616B2AD6D2D1trueMicrosoft WindowsValid 10341000x800000000000000029742691Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:52:23.220{8B6011A9-888A-6164-7000-00000000F101}34483736C:\Windows\system32\csrss.exe{8B6011A9-7C67-6168-1678-00000000F101}4708C:\Windows\system32\setspn.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000029742690Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:52:23.220{8B6011A9-ACE9-6164-3105-00000000F101}44165780C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{8B6011A9-7C67-6168-1678-00000000F101}4708C:\Windows\system32\setspn.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4a60023(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ee347c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ee30b7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+49ab3e5(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ea0029(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3f03a9b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ee5aaa(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ee5aaa(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ee593b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ed665b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ee3b9d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ee370f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ee347c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ee30b7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+49ab3e5(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ec8362(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ec78d4(wow64) 154100x800000000000000029742689Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:52:23.220{8B6011A9-7C67-6168-1678-00000000F101}4708C:\Windows\System32\setspn.exe10.0.14393.0 (rs1_release.160715-1616)Query or reset the computer's SPN attributeMicrosoft® Windows® Operating SystemMicrosoft Corporationsetspn.exe"C:\Windows\system32\setspn.exe" -T attackrange.localC:\Users\Administrator\ATTACKRANGE\Administrator{8B6011A9-8897-6164-CBF3-050000000000}0x5f3cb2HighMD5=5C184D581524245DAD7A0A02B51FD2C2,SHA256=909C2DDF06CFEB1F79004DBB5E9B9D36B693CFDFF3459E0A6A51616B2AD6D2D1{8B6011A9-ACE9-6164-3105-00000000F101}4416C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 534500x800000000000000029742820Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:52:31.153{8B6011A9-7C6F-6168-1878-00000000F101}6940C:\Windows\System32\setspn.exe 734700x800000000000000029742819Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:52:31.140{8B6011A9-7C6F-6168-1878-00000000F101}6940C:\Windows\System32\setspn.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 734700x800000000000000029742818Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:52:31.137{8B6011A9-7C6F-6168-1878-00000000F101}6940C:\Windows\System32\setspn.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000029742817Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:52:31.136{8B6011A9-7C6F-6168-1878-00000000F101}6940C:\Windows\System32\setspn.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000029742816Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:52:31.135{8B6011A9-7C6F-6168-1878-00000000F101}6940C:\Windows\System32\setspn.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000029742815Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:52:31.135{8B6011A9-7C6F-6168-1878-00000000F101}6940C:\Windows\System32\setspn.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000029742814Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:52:31.135{8B6011A9-7C6F-6168-1878-00000000F101}6940C:\Windows\System32\setspn.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000029742813Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:52:31.135{8B6011A9-7C6F-6168-1878-00000000F101}6940C:\Windows\System32\setspn.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000029742812Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:52:31.134{8B6011A9-7C6F-6168-1878-00000000F101}6940C:\Windows\System32\setspn.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000029742811Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:52:31.134{8B6011A9-7C6F-6168-1878-00000000F101}6940C:\Windows\System32\setspn.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000029742810Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:52:31.134{8B6011A9-7C6F-6168-1878-00000000F101}6940C:\Windows\System32\setspn.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000029742809Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:52:31.133{8B6011A9-7C6F-6168-1878-00000000F101}6940C:\Windows\System32\setspn.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000029742808Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:52:31.133{8B6011A9-7C6F-6168-1878-00000000F101}6940C:\Windows\System32\setspn.exeC:\Windows\System32\logoncli.dll10.0.14393.3808 (rs1_release.200707-2105)Net Logon Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationLOGONCLI.DLLMD5=B5C16F0A457DB3C7695AAC9EE7E3EE1E,SHA256=88764349C57E619C6D1253BB2F4AFB27DBD141E9EB9C12D445C20F7384A4F437trueMicrosoft WindowsValid 734700x800000000000000029742807Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:52:31.133{8B6011A9-7C6F-6168-1878-00000000F101}6940C:\Windows\System32\setspn.exeC:\Windows\System32\ntdsapi.dll10.0.14393.0 (rs1_release.160715-1616)Active Directory Domain Services APIMicrosoft® Windows® Operating SystemMicrosoft Corporationntdsapi.dllMD5=01AD803D409DC3C6582A9C519EB4B014,SHA256=C5A0873EC1223A67CE5980BB62F176FDF2E61BB54081CE004F479629413F27AAtrueMicrosoft WindowsValid 734700x800000000000000029742806Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:52:31.133{8B6011A9-7C6F-6168-1878-00000000F101}6940C:\Windows\System32\setspn.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CAtrueMicrosoft WindowsValid 734700x800000000000000029742805Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:52:31.133{8B6011A9-7C6F-6168-1878-00000000F101}6940C:\Windows\System32\setspn.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000029742804Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:52:31.132{8B6011A9-7C6F-6168-1878-00000000F101}6940C:\Windows\System32\setspn.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x800000000000000029742803Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:52:31.132{8B6011A9-7C6F-6168-1878-00000000F101}6940C:\Windows\System32\setspn.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 10341000x800000000000000029742802Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:52:31.131{8B6011A9-ACE9-6164-3205-00000000F101}44845180C:\Windows\system32\conhost.exe{8B6011A9-7C6F-6168-1878-00000000F101}6940C:\Windows\system32\setspn.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000029742801Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:52:31.130{8B6011A9-7C6F-6168-1878-00000000F101}6940C:\Windows\System32\setspn.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000029742800Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:52:31.130{8B6011A9-7C6F-6168-1878-00000000F101}6940C:\Windows\System32\setspn.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000029742799Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:52:31.129{8B6011A9-7C6F-6168-1878-00000000F101}6940C:\Windows\System32\setspn.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000029742798Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:52:31.129{8B6011A9-7C6F-6168-1878-00000000F101}6940C:\Windows\System32\setspn.exeC:\Windows\System32\setspn.exe10.0.14393.0 (rs1_release.160715-1616)Query or reset the computer's SPN attributeMicrosoft® Windows® Operating SystemMicrosoft Corporationsetspn.exeMD5=5C184D581524245DAD7A0A02B51FD2C2,SHA256=909C2DDF06CFEB1F79004DBB5E9B9D36B693CFDFF3459E0A6A51616B2AD6D2D1trueMicrosoft WindowsValid 10341000x800000000000000029742797Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:52:31.128{8B6011A9-888A-6164-7000-00000000F101}34483736C:\Windows\system32\csrss.exe{8B6011A9-7C6F-6168-1878-00000000F101}6940C:\Windows\system32\setspn.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000029742796Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:52:31.127{8B6011A9-ACE9-6164-3105-00000000F101}44165780C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{8B6011A9-7C6F-6168-1878-00000000F101}6940C:\Windows\system32\setspn.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4a60023(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ee347c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ee30b7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+49ab3e5(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ea0029(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3f03a9b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ee5aaa(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ee5aaa(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ee593b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ed665b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ee3b9d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ee370f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ee347c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ee30b7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+49ab3e5(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ec8362(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ec78d4(wow64) 154100x800000000000000029742795Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:52:31.126{8B6011A9-7C6F-6168-1878-00000000F101}6940C:\Windows\System32\setspn.exe10.0.14393.0 (rs1_release.160715-1616)Query or reset the computer's SPN attributeMicrosoft® Windows® Operating SystemMicrosoft Corporationsetspn.exe"C:\Windows\system32\setspn.exe" -T attackrangeC:\Users\Administrator\ATTACKRANGE\Administrator{8B6011A9-8897-6164-CBF3-050000000000}0x5f3cb2HighMD5=5C184D581524245DAD7A0A02B51FD2C2,SHA256=909C2DDF06CFEB1F79004DBB5E9B9D36B693CFDFF3459E0A6A51616B2AD6D2D1{8B6011A9-ACE9-6164-3105-00000000F101}4416C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 534500x800000000000000029742925Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:52:38.505{8B6011A9-7C76-6168-1978-00000000F101}6364C:\Windows\System32\setspn.exe 734700x800000000000000029742923Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:52:38.420{8B6011A9-7C76-6168-1978-00000000F101}6364C:\Windows\System32\setspn.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AAtrueMicrosoft WindowsValid 734700x800000000000000029742922Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:52:38.418{8B6011A9-7C76-6168-1978-00000000F101}6364C:\Windows\System32\setspn.exeC:\Windows\System32\NtlmShared.dll10.0.14393.3269 (rs1_release.190929-1234)NTLM Shared FunctionalityMicrosoft® Windows® Operating SystemMicrosoft CorporationNtlmShared.dllMD5=99F4D90B3ED53855C06F856006E770D1,SHA256=A95E5823B68182C4E32CB783AD23BC4FF60690001C70E6B5E920C12740C4C37CtrueMicrosoft WindowsValid 734700x800000000000000029742921Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:52:38.417{8B6011A9-7C76-6168-1978-00000000F101}6364C:\Windows\System32\setspn.exeC:\Windows\System32\msv1_0.dll10.0.14393.3866 (rs1_release.200805-1327)Microsoft Authentication Package v1.0Microsoft® Windows® Operating SystemMicrosoft CorporationMSV1_0.DLLMD5=2A725546D9B1F9DB4974A2EA4225D0A8,SHA256=46AD1AC8C7DB7D21E8F41EFC734B855CEE566CB58F8FB825775490DC5DE89C94trueMicrosoft WindowsValid 734700x800000000000000029742920Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:52:38.414{8B6011A9-7C76-6168-1978-00000000F101}6364C:\Windows\System32\setspn.exeC:\Windows\System32\dsparse.dll10.0.14393.0 (rs1_release.160715-1616)Active Directory Domain Services APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdsparse.dllMD5=E9B5EFC173FDD55C00B2F28B8BAC144B,SHA256=0CA602484CD0E2C67091FCD60091608BF746B1D05B353DB9805D1CAE0ED09D70trueMicrosoft WindowsValid 734700x800000000000000029742919Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:52:38.409{8B6011A9-7C76-6168-1978-00000000F101}6364C:\Windows\System32\setspn.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000029742918Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:52:38.409{8B6011A9-7C76-6168-1978-00000000F101}6364C:\Windows\System32\setspn.exeC:\Windows\System32\FWPUCLNT.DLL10.0.14393.0 (rs1_release.160715-1616)FWP/IPsec User-Mode APIMicrosoft® Windows® Operating SystemMicrosoft Corporationfwpuclnt.dllMD5=A65FA613342B08E0F760D8B13B9C135A,SHA256=C64A1EC862188D2EE1202DB02BFBF4E2DD56780905E509012799EB57FC9A88EDtrueMicrosoft WindowsValid 12241200x800000000000000029742917Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-14 18:52:38.408{8B6011A9-7C76-6168-1978-00000000F101}6364C:\Windows\system32\setspn.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000029742916Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-14 18:52:38.408{8B6011A9-7C76-6168-1978-00000000F101}6364C:\Windows\system32\setspn.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000029742915Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-14 18:52:38.408{8B6011A9-7C76-6168-1978-00000000F101}6364C:\Windows\system32\setspn.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 734700x800000000000000029742914Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:52:38.408{8B6011A9-7C76-6168-1978-00000000F101}6364C:\Windows\System32\setspn.exeC:\Windows\System32\rasadhlp.dll10.0.14393.0 (rs1_release.160715-1616)Remote Access AutoDial HelperMicrosoft® Windows® Operating SystemMicrosoft Corporationrasadhlp.dllMD5=FAE8D0480BDD905EEA453D3A57C8D5C6,SHA256=C1531223B8201B344A6A6474CB2D9B8A8C632250A3A6F472EC5E2D7D28ADD94CtrueMicrosoft WindowsValid 12241200x800000000000000029742913Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-14 18:52:38.401{8B6011A9-7C76-6168-1978-00000000F101}6364C:\Windows\system32\setspn.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000029742912Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-14 18:52:38.401{8B6011A9-7C76-6168-1978-00000000F101}6364C:\Windows\system32\setspn.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000029742911Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-14 18:52:38.401{8B6011A9-7C76-6168-1978-00000000F101}6364C:\Windows\system32\setspn.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 734700x800000000000000029742910Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:52:38.400{8B6011A9-7C76-6168-1978-00000000F101}6364C:\Windows\System32\setspn.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x800000000000000029742909Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:52:38.400{8B6011A9-7C76-6168-1978-00000000F101}6364C:\Windows\System32\setspn.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 734700x800000000000000029742908Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:52:38.398{8B6011A9-7C76-6168-1978-00000000F101}6364C:\Windows\System32\setspn.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 10341000x800000000000000029742906Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:52:38.391{8B6011A9-886B-6164-0B00-00000000F101}6486840C:\Windows\system32\lsass.exe{8B6011A9-7C76-6168-1978-00000000F101}6364C:\Windows\system32\setspn.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029742905Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:52:38.391{8B6011A9-886B-6164-0B00-00000000F101}6486840C:\Windows\system32\lsass.exe{8B6011A9-7C76-6168-1978-00000000F101}6364C:\Windows\system32\setspn.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000029742904Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:52:38.390{8B6011A9-7C76-6168-1978-00000000F101}6364C:\Windows\System32\setspn.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x800000000000000029742903Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:52:38.388{8B6011A9-7C76-6168-1978-00000000F101}6364C:\Windows\System32\setspn.exeC:\Windows\System32\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=B52ACA309FD6F72105951FFBA022327B,SHA256=02AB6CCE4BF0D3F075D5E982F5A4CBDB514CE7C245EA474D7846A86CD3F13202trueMicrosoft WindowsValid 734700x800000000000000029742902Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:52:38.383{8B6011A9-7C76-6168-1978-00000000F101}6364C:\Windows\System32\setspn.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 734700x800000000000000029742901Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:52:38.378{8B6011A9-7C76-6168-1978-00000000F101}6364C:\Windows\System32\setspn.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000029742900Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:52:38.378{8B6011A9-7C76-6168-1978-00000000F101}6364C:\Windows\System32\setspn.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000029742899Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:52:38.377{8B6011A9-7C76-6168-1978-00000000F101}6364C:\Windows\System32\setspn.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000029742898Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:52:38.377{8B6011A9-7C76-6168-1978-00000000F101}6364C:\Windows\System32\setspn.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000029742897Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:52:38.376{8B6011A9-7C76-6168-1978-00000000F101}6364C:\Windows\System32\setspn.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000029742896Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:52:38.376{8B6011A9-7C76-6168-1978-00000000F101}6364C:\Windows\System32\setspn.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000029742895Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:52:38.375{8B6011A9-7C76-6168-1978-00000000F101}6364C:\Windows\System32\setspn.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000029742894Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:52:38.375{8B6011A9-7C76-6168-1978-00000000F101}6364C:\Windows\System32\setspn.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000029742893Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:52:38.375{8B6011A9-7C76-6168-1978-00000000F101}6364C:\Windows\System32\setspn.exeC:\Windows\System32\ntdsapi.dll10.0.14393.0 (rs1_release.160715-1616)Active Directory Domain Services APIMicrosoft® Windows® Operating SystemMicrosoft Corporationntdsapi.dllMD5=01AD803D409DC3C6582A9C519EB4B014,SHA256=C5A0873EC1223A67CE5980BB62F176FDF2E61BB54081CE004F479629413F27AAtrueMicrosoft WindowsValid 734700x800000000000000029742892Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:52:38.375{8B6011A9-7C76-6168-1978-00000000F101}6364C:\Windows\System32\setspn.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000029742891Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:52:38.375{8B6011A9-7C76-6168-1978-00000000F101}6364C:\Windows\System32\setspn.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000029742890Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:52:38.375{8B6011A9-7C76-6168-1978-00000000F101}6364C:\Windows\System32\setspn.exeC:\Windows\System32\logoncli.dll10.0.14393.3808 (rs1_release.200707-2105)Net Logon Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationLOGONCLI.DLLMD5=B5C16F0A457DB3C7695AAC9EE7E3EE1E,SHA256=88764349C57E619C6D1253BB2F4AFB27DBD141E9EB9C12D445C20F7384A4F437trueMicrosoft WindowsValid 734700x800000000000000029742889Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:52:38.374{8B6011A9-7C76-6168-1978-00000000F101}6364C:\Windows\System32\setspn.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CAtrueMicrosoft WindowsValid 734700x800000000000000029742888Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:52:38.373{8B6011A9-7C76-6168-1978-00000000F101}6364C:\Windows\System32\setspn.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000029742887Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:52:38.373{8B6011A9-7C76-6168-1978-00000000F101}6364C:\Windows\System32\setspn.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x800000000000000029742886Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:52:38.369{8B6011A9-7C76-6168-1978-00000000F101}6364C:\Windows\System32\setspn.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 10341000x800000000000000029742885Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:52:38.368{8B6011A9-ACE9-6164-3205-00000000F101}44845180C:\Windows\system32\conhost.exe{8B6011A9-7C76-6168-1978-00000000F101}6364C:\Windows\system32\setspn.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000029742884Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:52:38.367{8B6011A9-7C76-6168-1978-00000000F101}6364C:\Windows\System32\setspn.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000029742883Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:52:38.367{8B6011A9-7C76-6168-1978-00000000F101}6364C:\Windows\System32\setspn.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000029742882Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:52:38.366{8B6011A9-7C76-6168-1978-00000000F101}6364C:\Windows\System32\setspn.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000029742881Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:52:38.365{8B6011A9-7C76-6168-1978-00000000F101}6364C:\Windows\System32\setspn.exeC:\Windows\System32\setspn.exe10.0.14393.0 (rs1_release.160715-1616)Query or reset the computer's SPN attributeMicrosoft® Windows® Operating SystemMicrosoft Corporationsetspn.exeMD5=5C184D581524245DAD7A0A02B51FD2C2,SHA256=909C2DDF06CFEB1F79004DBB5E9B9D36B693CFDFF3459E0A6A51616B2AD6D2D1trueMicrosoft WindowsValid 10341000x800000000000000029742880Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:52:38.364{8B6011A9-888A-6164-7000-00000000F101}34483876C:\Windows\system32\csrss.exe{8B6011A9-7C76-6168-1978-00000000F101}6364C:\Windows\system32\setspn.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000029742879Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:52:38.363{8B6011A9-ACE9-6164-3105-00000000F101}44165780C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{8B6011A9-7C76-6168-1978-00000000F101}6364C:\Windows\system32\setspn.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4a60023(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ee347c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ee30b7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+49ab3e5(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ea0029(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3f03a9b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ee5aaa(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ee5aaa(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ee593b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ed665b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ee3b9d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ee370f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ee347c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ee30b7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+49ab3e5(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ec8362(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ec78d4(wow64) 154100x800000000000000029742878Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 18:52:38.363{8B6011A9-7C76-6168-1978-00000000F101}6364C:\Windows\System32\setspn.exe10.0.14393.0 (rs1_release.160715-1616)Query or reset the computer's SPN attributeMicrosoft® Windows® Operating SystemMicrosoft Corporationsetspn.exe"C:\Windows\system32\setspn.exe" -T attackrange -Q */*C:\Users\Administrator\ATTACKRANGE\Administrator{8B6011A9-8897-6164-CBF3-050000000000}0x5f3cb2HighMD5=5C184D581524245DAD7A0A02B51FD2C2,SHA256=909C2DDF06CFEB1F79004DBB5E9B9D36B693CFDFF3459E0A6A51616B2AD6D2D1{8B6011A9-ACE9-6164-3105-00000000F101}4416C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 534500x800000000000000029763562Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:06:55.572{8B6011A9-7FCF-6168-C478-00000000F101}3532C:\Windows\System32\setspn.exe 734700x800000000000000029763560Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:06:55.545{8B6011A9-7FCF-6168-C478-00000000F101}3532C:\Windows\System32\setspn.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AAtrueMicrosoft WindowsValid 734700x800000000000000029763559Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:06:55.545{8B6011A9-7FCF-6168-C478-00000000F101}3532C:\Windows\System32\setspn.exeC:\Windows\System32\NtlmShared.dll10.0.14393.3269 (rs1_release.190929-1234)NTLM Shared FunctionalityMicrosoft® Windows® Operating SystemMicrosoft CorporationNtlmShared.dllMD5=99F4D90B3ED53855C06F856006E770D1,SHA256=A95E5823B68182C4E32CB783AD23BC4FF60690001C70E6B5E920C12740C4C37CtrueMicrosoft WindowsValid 734700x800000000000000029763558Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:06:55.544{8B6011A9-7FCF-6168-C478-00000000F101}3532C:\Windows\System32\setspn.exeC:\Windows\System32\msv1_0.dll10.0.14393.3866 (rs1_release.200805-1327)Microsoft Authentication Package v1.0Microsoft® Windows® Operating SystemMicrosoft CorporationMSV1_0.DLLMD5=2A725546D9B1F9DB4974A2EA4225D0A8,SHA256=46AD1AC8C7DB7D21E8F41EFC734B855CEE566CB58F8FB825775490DC5DE89C94trueMicrosoft WindowsValid 734700x800000000000000029763557Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:06:55.536{8B6011A9-7FCF-6168-C478-00000000F101}3532C:\Windows\System32\setspn.exeC:\Windows\System32\dsparse.dll10.0.14393.0 (rs1_release.160715-1616)Active Directory Domain Services APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdsparse.dllMD5=E9B5EFC173FDD55C00B2F28B8BAC144B,SHA256=0CA602484CD0E2C67091FCD60091608BF746B1D05B353DB9805D1CAE0ED09D70trueMicrosoft WindowsValid 734700x800000000000000029763556Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:06:55.533{8B6011A9-7FCF-6168-C478-00000000F101}3532C:\Windows\System32\setspn.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000029763555Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:06:55.533{8B6011A9-7FCF-6168-C478-00000000F101}3532C:\Windows\System32\setspn.exeC:\Windows\System32\FWPUCLNT.DLL10.0.14393.0 (rs1_release.160715-1616)FWP/IPsec User-Mode APIMicrosoft® Windows® Operating SystemMicrosoft Corporationfwpuclnt.dllMD5=A65FA613342B08E0F760D8B13B9C135A,SHA256=C64A1EC862188D2EE1202DB02BFBF4E2DD56780905E509012799EB57FC9A88EDtrueMicrosoft WindowsValid 12241200x800000000000000029763554Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-14 19:06:55.533{8B6011A9-7FCF-6168-C478-00000000F101}3532C:\Windows\system32\setspn.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000029763553Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-14 19:06:55.533{8B6011A9-7FCF-6168-C478-00000000F101}3532C:\Windows\system32\setspn.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000029763552Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-14 19:06:55.533{8B6011A9-7FCF-6168-C478-00000000F101}3532C:\Windows\system32\setspn.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 734700x800000000000000029763551Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:06:55.532{8B6011A9-7FCF-6168-C478-00000000F101}3532C:\Windows\System32\setspn.exeC:\Windows\System32\rasadhlp.dll10.0.14393.0 (rs1_release.160715-1616)Remote Access AutoDial HelperMicrosoft® Windows® Operating SystemMicrosoft Corporationrasadhlp.dllMD5=FAE8D0480BDD905EEA453D3A57C8D5C6,SHA256=C1531223B8201B344A6A6474CB2D9B8A8C632250A3A6F472EC5E2D7D28ADD94CtrueMicrosoft WindowsValid 12241200x800000000000000029763550Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-14 19:06:55.532{8B6011A9-7FCF-6168-C478-00000000F101}3532C:\Windows\system32\setspn.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000029763549Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-14 19:06:55.532{8B6011A9-7FCF-6168-C478-00000000F101}3532C:\Windows\system32\setspn.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000029763548Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-14 19:06:55.532{8B6011A9-7FCF-6168-C478-00000000F101}3532C:\Windows\system32\setspn.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 734700x800000000000000029763547Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:06:55.531{8B6011A9-7FCF-6168-C478-00000000F101}3532C:\Windows\System32\setspn.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x800000000000000029763546Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:06:55.531{8B6011A9-7FCF-6168-C478-00000000F101}3532C:\Windows\System32\setspn.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 734700x800000000000000029763545Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:06:55.530{8B6011A9-7FCF-6168-C478-00000000F101}3532C:\Windows\System32\setspn.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 10341000x800000000000000029763543Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:06:55.528{8B6011A9-886B-6164-0B00-00000000F101}648812C:\Windows\system32\lsass.exe{8B6011A9-7FCF-6168-C478-00000000F101}3532C:\Windows\system32\setspn.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029763542Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:06:55.527{8B6011A9-886B-6164-0B00-00000000F101}648812C:\Windows\system32\lsass.exe{8B6011A9-7FCF-6168-C478-00000000F101}3532C:\Windows\system32\setspn.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000029763541Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:06:55.527{8B6011A9-7FCF-6168-C478-00000000F101}3532C:\Windows\System32\setspn.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x800000000000000029763540Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:06:55.526{8B6011A9-7FCF-6168-C478-00000000F101}3532C:\Windows\System32\setspn.exeC:\Windows\System32\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=B52ACA309FD6F72105951FFBA022327B,SHA256=02AB6CCE4BF0D3F075D5E982F5A4CBDB514CE7C245EA474D7846A86CD3F13202trueMicrosoft WindowsValid 734700x800000000000000029763539Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:06:55.521{8B6011A9-7FCF-6168-C478-00000000F101}3532C:\Windows\System32\setspn.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000029763538Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:06:55.523{8B6011A9-7FCF-6168-C478-00000000F101}3532C:\Windows\System32\setspn.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 734700x800000000000000029763537Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:06:55.521{8B6011A9-7FCF-6168-C478-00000000F101}3532C:\Windows\System32\setspn.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000029763536Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:06:55.521{8B6011A9-7FCF-6168-C478-00000000F101}3532C:\Windows\System32\setspn.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000029763535Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:06:55.520{8B6011A9-7FCF-6168-C478-00000000F101}3532C:\Windows\System32\setspn.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000029763534Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:06:55.520{8B6011A9-7FCF-6168-C478-00000000F101}3532C:\Windows\System32\setspn.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000029763533Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:06:55.520{8B6011A9-7FCF-6168-C478-00000000F101}3532C:\Windows\System32\setspn.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000029763532Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:06:55.519{8B6011A9-7FCF-6168-C478-00000000F101}3532C:\Windows\System32\setspn.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000029763531Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:06:55.519{8B6011A9-7FCF-6168-C478-00000000F101}3532C:\Windows\System32\setspn.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000029763530Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:06:55.519{8B6011A9-7FCF-6168-C478-00000000F101}3532C:\Windows\System32\setspn.exeC:\Windows\System32\logoncli.dll10.0.14393.3808 (rs1_release.200707-2105)Net Logon Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationLOGONCLI.DLLMD5=B5C16F0A457DB3C7695AAC9EE7E3EE1E,SHA256=88764349C57E619C6D1253BB2F4AFB27DBD141E9EB9C12D445C20F7384A4F437trueMicrosoft WindowsValid 734700x800000000000000029763529Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:06:55.517{8B6011A9-7FCF-6168-C478-00000000F101}3532C:\Windows\System32\setspn.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000029763528Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:06:55.517{8B6011A9-7FCF-6168-C478-00000000F101}3532C:\Windows\System32\setspn.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000029763527Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:06:55.517{8B6011A9-7FCF-6168-C478-00000000F101}3532C:\Windows\System32\setspn.exeC:\Windows\System32\ntdsapi.dll10.0.14393.0 (rs1_release.160715-1616)Active Directory Domain Services APIMicrosoft® Windows® Operating SystemMicrosoft Corporationntdsapi.dllMD5=01AD803D409DC3C6582A9C519EB4B014,SHA256=C5A0873EC1223A67CE5980BB62F176FDF2E61BB54081CE004F479629413F27AAtrueMicrosoft WindowsValid 734700x800000000000000029763526Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:06:55.517{8B6011A9-7FCF-6168-C478-00000000F101}3532C:\Windows\System32\setspn.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CAtrueMicrosoft WindowsValid 734700x800000000000000029763525Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:06:55.516{8B6011A9-7FCF-6168-C478-00000000F101}3532C:\Windows\System32\setspn.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000029763524Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:06:55.516{8B6011A9-7FCF-6168-C478-00000000F101}3532C:\Windows\System32\setspn.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x800000000000000029763523Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:06:55.515{8B6011A9-7FCF-6168-C478-00000000F101}3532C:\Windows\System32\setspn.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 10341000x800000000000000029763522Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:06:55.514{8B6011A9-ACE9-6164-3205-00000000F101}44845180C:\Windows\system32\conhost.exe{8B6011A9-7FCF-6168-C478-00000000F101}3532C:\Windows\system32\setspn.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000029763521Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:06:55.513{8B6011A9-7FCF-6168-C478-00000000F101}3532C:\Windows\System32\setspn.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000029763520Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:06:55.513{8B6011A9-7FCF-6168-C478-00000000F101}3532C:\Windows\System32\setspn.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000029763519Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:06:55.512{8B6011A9-7FCF-6168-C478-00000000F101}3532C:\Windows\System32\setspn.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000029763518Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:06:55.512{8B6011A9-7FCF-6168-C478-00000000F101}3532C:\Windows\System32\setspn.exeC:\Windows\System32\setspn.exe10.0.14393.0 (rs1_release.160715-1616)Query or reset the computer's SPN attributeMicrosoft® Windows® Operating SystemMicrosoft Corporationsetspn.exeMD5=5C184D581524245DAD7A0A02B51FD2C2,SHA256=909C2DDF06CFEB1F79004DBB5E9B9D36B693CFDFF3459E0A6A51616B2AD6D2D1trueMicrosoft WindowsValid 10341000x800000000000000029763517Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:06:55.511{8B6011A9-888A-6164-7000-00000000F101}34483736C:\Windows\system32\csrss.exe{8B6011A9-7FCF-6168-C478-00000000F101}3532C:\Windows\system32\setspn.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000029763516Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:06:55.510{8B6011A9-ACE9-6164-3105-00000000F101}44165780C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{8B6011A9-7FCF-6168-C478-00000000F101}3532C:\Windows\system32\setspn.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4a60023(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ee347c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ee30b7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+49ab3e5(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ea0029(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3f03a9b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ee5aaa(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ee5aaa(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ee593b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ed665b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ee3b9d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ee370f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ee347c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ee30b7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+49ab3e5(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ec8362(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ec78d4(wow64) 154100x800000000000000029763515Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:06:55.509{8B6011A9-7FCF-6168-C478-00000000F101}3532C:\Windows\System32\setspn.exe10.0.14393.0 (rs1_release.160715-1616)Query or reset the computer's SPN attributeMicrosoft® Windows® Operating SystemMicrosoft Corporationsetspn.exe"C:\Windows\system32\setspn.exe" -T attackrange.local -Q */*C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{8B6011A9-8897-6164-CBF3-050000000000}0x5f3cb2HighMD5=5C184D581524245DAD7A0A02B51FD2C2,SHA256=909C2DDF06CFEB1F79004DBB5E9B9D36B693CFDFF3459E0A6A51616B2AD6D2D1{8B6011A9-ACE9-6164-3105-00000000F101}4416C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 22542200x800000000000000029763580Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:06:58.550{8B6011A9-7FCF-6168-C478-00000000F101}3532win-dc-469.attackrange.local0fe80::2117:fdb0:db44:3240;::ffff:10.0.1.14;C:\Windows\System32\setspn.exe 354300x800000000000000029763578Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:06:58.564{8B6011A9-7FCF-6168-C478-00000000F101}3532C:\Windows\System32\setspn.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local61188-false10.0.1.14win-dc-469.attackrange.local389ldap 354300x800000000000000029763576Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:06:58.543{8B6011A9-7FCF-6168-C478-00000000F101}3532C:\Windows\System32\setspn.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local61187-false10.0.1.14win-dc-469.attackrange.local389ldap 734700x800000000000000029764627Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:08:23.923{8B6011A9-8027-6168-CC78-00000000F101}6664C:\Windows\System32\setspn.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000029764602Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:08:23.906{8B6011A9-8027-6168-CC78-00000000F101}6664C:\Windows\System32\setspn.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000029764577Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:08:23.904{8B6011A9-8027-6168-CC78-00000000F101}6664C:\Windows\System32\setspn.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 534500x800000000000000029764553Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:08:23.952{8B6011A9-8027-6168-CC78-00000000F101}6664C:\Windows\System32\setspn.exe 734700x800000000000000029764551Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:08:23.903{8B6011A9-8027-6168-CC78-00000000F101}6664C:\Windows\System32\setspn.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000029764526Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:08:23.930{8B6011A9-8027-6168-CC78-00000000F101}6664C:\Windows\System32\setspn.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AAtrueMicrosoft WindowsValid 734700x800000000000000029764525Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:08:23.929{8B6011A9-8027-6168-CC78-00000000F101}6664C:\Windows\System32\setspn.exeC:\Windows\System32\NtlmShared.dll10.0.14393.3269 (rs1_release.190929-1234)NTLM Shared FunctionalityMicrosoft® Windows® Operating SystemMicrosoft CorporationNtlmShared.dllMD5=99F4D90B3ED53855C06F856006E770D1,SHA256=A95E5823B68182C4E32CB783AD23BC4FF60690001C70E6B5E920C12740C4C37CtrueMicrosoft WindowsValid 734700x800000000000000029764524Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:08:23.929{8B6011A9-8027-6168-CC78-00000000F101}6664C:\Windows\System32\setspn.exeC:\Windows\System32\msv1_0.dll10.0.14393.3866 (rs1_release.200805-1327)Microsoft Authentication Package v1.0Microsoft® Windows® Operating SystemMicrosoft CorporationMSV1_0.DLLMD5=2A725546D9B1F9DB4974A2EA4225D0A8,SHA256=46AD1AC8C7DB7D21E8F41EFC734B855CEE566CB58F8FB825775490DC5DE89C94trueMicrosoft WindowsValid 734700x800000000000000029764523Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:08:23.927{8B6011A9-8027-6168-CC78-00000000F101}6664C:\Windows\System32\setspn.exeC:\Windows\System32\dsparse.dll10.0.14393.0 (rs1_release.160715-1616)Active Directory Domain Services APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdsparse.dllMD5=E9B5EFC173FDD55C00B2F28B8BAC144B,SHA256=0CA602484CD0E2C67091FCD60091608BF746B1D05B353DB9805D1CAE0ED09D70trueMicrosoft WindowsValid 734700x800000000000000029764521Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:08:23.903{8B6011A9-8027-6168-CC78-00000000F101}6664C:\Windows\System32\setspn.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000029764505Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:08:23.922{8B6011A9-8027-6168-CC78-00000000F101}6664C:\Windows\System32\setspn.exeC:\Windows\System32\FWPUCLNT.DLL10.0.14393.0 (rs1_release.160715-1616)FWP/IPsec User-Mode APIMicrosoft® Windows® Operating SystemMicrosoft Corporationfwpuclnt.dllMD5=A65FA613342B08E0F760D8B13B9C135A,SHA256=C64A1EC862188D2EE1202DB02BFBF4E2DD56780905E509012799EB57FC9A88EDtrueMicrosoft WindowsValid 12241200x800000000000000029764496Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-14 19:08:23.921{8B6011A9-8027-6168-CC78-00000000F101}6664C:\Windows\system32\setspn.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000029764495Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-14 19:08:23.921{8B6011A9-8027-6168-CC78-00000000F101}6664C:\Windows\system32\setspn.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000029764494Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-14 19:08:23.921{8B6011A9-8027-6168-CC78-00000000F101}6664C:\Windows\system32\setspn.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 734700x800000000000000029764493Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:08:23.921{8B6011A9-8027-6168-CC78-00000000F101}6664C:\Windows\System32\setspn.exeC:\Windows\System32\rasadhlp.dll10.0.14393.0 (rs1_release.160715-1616)Remote Access AutoDial HelperMicrosoft® Windows® Operating SystemMicrosoft Corporationrasadhlp.dllMD5=FAE8D0480BDD905EEA453D3A57C8D5C6,SHA256=C1531223B8201B344A6A6474CB2D9B8A8C632250A3A6F472EC5E2D7D28ADD94CtrueMicrosoft WindowsValid 12241200x800000000000000029764492Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-14 19:08:23.921{8B6011A9-8027-6168-CC78-00000000F101}6664C:\Windows\system32\setspn.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000029764491Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-14 19:08:23.920{8B6011A9-8027-6168-CC78-00000000F101}6664C:\Windows\system32\setspn.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000029764490Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-14 19:08:23.920{8B6011A9-8027-6168-CC78-00000000F101}6664C:\Windows\system32\setspn.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 734700x800000000000000029764489Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:08:23.920{8B6011A9-8027-6168-CC78-00000000F101}6664C:\Windows\System32\setspn.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x800000000000000029764488Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:08:23.919{8B6011A9-8027-6168-CC78-00000000F101}6664C:\Windows\System32\setspn.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 734700x800000000000000029764487Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:08:23.919{8B6011A9-8027-6168-CC78-00000000F101}6664C:\Windows\System32\setspn.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 10341000x800000000000000029764484Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:08:23.916{8B6011A9-886B-6164-0B00-00000000F101}6486840C:\Windows\system32\lsass.exe{8B6011A9-8027-6168-CC78-00000000F101}6664C:\Windows\system32\setspn.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000029764483Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:08:23.900{8B6011A9-8027-6168-CC78-00000000F101}6664C:\Windows\System32\setspn.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 10341000x800000000000000029764482Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:08:23.915{8B6011A9-886B-6164-0B00-00000000F101}6486840C:\Windows\system32\lsass.exe{8B6011A9-8027-6168-CC78-00000000F101}6664C:\Windows\system32\setspn.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000029764472Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:08:23.914{8B6011A9-8027-6168-CC78-00000000F101}6664C:\Windows\System32\setspn.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x800000000000000029764457Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:08:23.913{8B6011A9-8027-6168-CC78-00000000F101}6664C:\Windows\System32\setspn.exeC:\Windows\System32\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=B52ACA309FD6F72105951FFBA022327B,SHA256=02AB6CCE4BF0D3F075D5E982F5A4CBDB514CE7C245EA474D7846A86CD3F13202trueMicrosoft WindowsValid 734700x800000000000000029764455Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:08:23.909{8B6011A9-8027-6168-CC78-00000000F101}6664C:\Windows\System32\setspn.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 734700x800000000000000029764454Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:08:23.903{8B6011A9-8027-6168-CC78-00000000F101}6664C:\Windows\System32\setspn.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000029764453Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:08:23.903{8B6011A9-8027-6168-CC78-00000000F101}6664C:\Windows\System32\setspn.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000029764452Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:08:23.902{8B6011A9-8027-6168-CC78-00000000F101}6664C:\Windows\System32\setspn.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000029764451Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:08:23.902{8B6011A9-8027-6168-CC78-00000000F101}6664C:\Windows\System32\setspn.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000029764450Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:08:23.901{8B6011A9-8027-6168-CC78-00000000F101}6664C:\Windows\System32\setspn.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000029764449Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:08:23.901{8B6011A9-8027-6168-CC78-00000000F101}6664C:\Windows\System32\setspn.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000029764448Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:08:23.901{8B6011A9-8027-6168-CC78-00000000F101}6664C:\Windows\System32\setspn.exeC:\Windows\System32\logoncli.dll10.0.14393.3808 (rs1_release.200707-2105)Net Logon Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationLOGONCLI.DLLMD5=B5C16F0A457DB3C7695AAC9EE7E3EE1E,SHA256=88764349C57E619C6D1253BB2F4AFB27DBD141E9EB9C12D445C20F7384A4F437trueMicrosoft WindowsValid 734700x800000000000000029764447Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:08:23.901{8B6011A9-8027-6168-CC78-00000000F101}6664C:\Windows\System32\setspn.exeC:\Windows\System32\ntdsapi.dll10.0.14393.0 (rs1_release.160715-1616)Active Directory Domain Services APIMicrosoft® Windows® Operating SystemMicrosoft Corporationntdsapi.dllMD5=01AD803D409DC3C6582A9C519EB4B014,SHA256=C5A0873EC1223A67CE5980BB62F176FDF2E61BB54081CE004F479629413F27AAtrueMicrosoft WindowsValid 734700x800000000000000029764445Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:08:23.900{8B6011A9-8027-6168-CC78-00000000F101}6664C:\Windows\System32\setspn.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CAtrueMicrosoft WindowsValid 734700x800000000000000029764443Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:08:23.900{8B6011A9-8027-6168-CC78-00000000F101}6664C:\Windows\System32\setspn.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000029764442Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:08:23.899{8B6011A9-8027-6168-CC78-00000000F101}6664C:\Windows\System32\setspn.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 10341000x800000000000000029764441Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:08:23.897{8B6011A9-ACE9-6164-3205-00000000F101}44845180C:\Windows\system32\conhost.exe{8B6011A9-8027-6168-CC78-00000000F101}6664C:\Windows\system32\setspn.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000029764440Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:08:23.894{8B6011A9-8027-6168-CC78-00000000F101}6664C:\Windows\System32\setspn.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000029764439Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:08:23.893{8B6011A9-8027-6168-CC78-00000000F101}6664C:\Windows\System32\setspn.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000029764438Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:08:23.892{8B6011A9-8027-6168-CC78-00000000F101}6664C:\Windows\System32\setspn.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000029764437Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:08:23.892{8B6011A9-8027-6168-CC78-00000000F101}6664C:\Windows\System32\setspn.exeC:\Windows\System32\setspn.exe10.0.14393.0 (rs1_release.160715-1616)Query or reset the computer's SPN attributeMicrosoft® Windows® Operating SystemMicrosoft Corporationsetspn.exeMD5=5C184D581524245DAD7A0A02B51FD2C2,SHA256=909C2DDF06CFEB1F79004DBB5E9B9D36B693CFDFF3459E0A6A51616B2AD6D2D1trueMicrosoft WindowsValid 10341000x800000000000000029764436Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:08:23.891{8B6011A9-888A-6164-7000-00000000F101}34483876C:\Windows\system32\csrss.exe{8B6011A9-8027-6168-CC78-00000000F101}6664C:\Windows\system32\setspn.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000029764435Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:08:23.890{8B6011A9-ACE9-6164-3105-00000000F101}44165780C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{8B6011A9-8027-6168-CC78-00000000F101}6664C:\Windows\system32\setspn.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4a60023(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ee347c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ee30b7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+49ab3e5(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ea0029(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3f03a9b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ee5aaa(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ee5aaa(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ee593b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ed665b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ee3b9d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ee370f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ee347c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ee30b7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+49ab3e5(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ec8362(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ec78d4(wow64) 154100x800000000000000029764434Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:08:23.889{8B6011A9-8027-6168-CC78-00000000F101}6664C:\Windows\System32\setspn.exe10.0.14393.0 (rs1_release.160715-1616)Query or reset the computer's SPN attributeMicrosoft® Windows® Operating SystemMicrosoft Corporationsetspn.exe"C:\Windows\system32\setspn.exe" -T attackrange.local -Q */*C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{8B6011A9-8897-6164-CBF3-050000000000}0x5f3cb2HighMD5=5C184D581524245DAD7A0A02B51FD2C2,SHA256=909C2DDF06CFEB1F79004DBB5E9B9D36B693CFDFF3459E0A6A51616B2AD6D2D1{8B6011A9-ACE9-6164-3105-00000000F101}4416C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 22542200x800000000000000029764645Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:08:26.939{8B6011A9-8027-6168-CC78-00000000F101}6664win-dc-469.attackrange.local0fe80::2117:fdb0:db44:3240;::ffff:10.0.1.14;C:\Windows\System32\setspn.exe 354300x800000000000000029764641Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:08:26.946{8B6011A9-8027-6168-CC78-00000000F101}6664C:\Windows\System32\setspn.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local61222-false10.0.1.14win-dc-469.attackrange.local389ldap 354300x800000000000000029764639Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:08:26.932{8B6011A9-8027-6168-CC78-00000000F101}6664C:\Windows\System32\setspn.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local61221-false10.0.1.14win-dc-469.attackrange.local389ldap 534500x800000000000000029764726Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:08:35.717{8B6011A9-8033-6168-CD78-00000000F101}7044C:\Windows\System32\setspn.exe 734700x800000000000000029764724Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:08:35.677{8B6011A9-8033-6168-CD78-00000000F101}7044C:\Windows\System32\setspn.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AAtrueMicrosoft WindowsValid 734700x800000000000000029764723Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:08:35.675{8B6011A9-8033-6168-CD78-00000000F101}7044C:\Windows\System32\setspn.exeC:\Windows\System32\NtlmShared.dll10.0.14393.3269 (rs1_release.190929-1234)NTLM Shared FunctionalityMicrosoft® Windows® Operating SystemMicrosoft CorporationNtlmShared.dllMD5=99F4D90B3ED53855C06F856006E770D1,SHA256=A95E5823B68182C4E32CB783AD23BC4FF60690001C70E6B5E920C12740C4C37CtrueMicrosoft WindowsValid 734700x800000000000000029764722Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:08:35.674{8B6011A9-8033-6168-CD78-00000000F101}7044C:\Windows\System32\setspn.exeC:\Windows\System32\msv1_0.dll10.0.14393.3866 (rs1_release.200805-1327)Microsoft Authentication Package v1.0Microsoft® Windows® Operating SystemMicrosoft CorporationMSV1_0.DLLMD5=2A725546D9B1F9DB4974A2EA4225D0A8,SHA256=46AD1AC8C7DB7D21E8F41EFC734B855CEE566CB58F8FB825775490DC5DE89C94trueMicrosoft WindowsValid 734700x800000000000000029764721Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:08:35.672{8B6011A9-8033-6168-CD78-00000000F101}7044C:\Windows\System32\setspn.exeC:\Windows\System32\dsparse.dll10.0.14393.0 (rs1_release.160715-1616)Active Directory Domain Services APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdsparse.dllMD5=E9B5EFC173FDD55C00B2F28B8BAC144B,SHA256=0CA602484CD0E2C67091FCD60091608BF746B1D05B353DB9805D1CAE0ED09D70trueMicrosoft WindowsValid 734700x800000000000000029764720Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:08:35.669{8B6011A9-8033-6168-CD78-00000000F101}7044C:\Windows\System32\setspn.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000029764719Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:08:35.669{8B6011A9-8033-6168-CD78-00000000F101}7044C:\Windows\System32\setspn.exeC:\Windows\System32\FWPUCLNT.DLL10.0.14393.0 (rs1_release.160715-1616)FWP/IPsec User-Mode APIMicrosoft® Windows® Operating SystemMicrosoft Corporationfwpuclnt.dllMD5=A65FA613342B08E0F760D8B13B9C135A,SHA256=C64A1EC862188D2EE1202DB02BFBF4E2DD56780905E509012799EB57FC9A88EDtrueMicrosoft WindowsValid 12241200x800000000000000029764718Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-14 19:08:35.666{8B6011A9-8033-6168-CD78-00000000F101}7044C:\Windows\system32\setspn.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000029764717Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-14 19:08:35.666{8B6011A9-8033-6168-CD78-00000000F101}7044C:\Windows\system32\setspn.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000029764716Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-14 19:08:35.666{8B6011A9-8033-6168-CD78-00000000F101}7044C:\Windows\system32\setspn.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 734700x800000000000000029764715Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:08:35.666{8B6011A9-8033-6168-CD78-00000000F101}7044C:\Windows\System32\setspn.exeC:\Windows\System32\rasadhlp.dll10.0.14393.0 (rs1_release.160715-1616)Remote Access AutoDial HelperMicrosoft® Windows® Operating SystemMicrosoft Corporationrasadhlp.dllMD5=FAE8D0480BDD905EEA453D3A57C8D5C6,SHA256=C1531223B8201B344A6A6474CB2D9B8A8C632250A3A6F472EC5E2D7D28ADD94CtrueMicrosoft WindowsValid 12241200x800000000000000029764714Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-14 19:08:35.665{8B6011A9-8033-6168-CD78-00000000F101}7044C:\Windows\system32\setspn.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000029764713Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-14 19:08:35.665{8B6011A9-8033-6168-CD78-00000000F101}7044C:\Windows\system32\setspn.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000029764712Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-14 19:08:35.665{8B6011A9-8033-6168-CD78-00000000F101}7044C:\Windows\system32\setspn.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 734700x800000000000000029764711Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:08:35.665{8B6011A9-8033-6168-CD78-00000000F101}7044C:\Windows\System32\setspn.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x800000000000000029764710Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:08:35.664{8B6011A9-8033-6168-CD78-00000000F101}7044C:\Windows\System32\setspn.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 734700x800000000000000029764709Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:08:35.663{8B6011A9-8033-6168-CD78-00000000F101}7044C:\Windows\System32\setspn.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 10341000x800000000000000029764707Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:08:35.651{8B6011A9-886B-6164-0B00-00000000F101}648812C:\Windows\system32\lsass.exe{8B6011A9-8033-6168-CD78-00000000F101}7044C:\Windows\system32\setspn.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029764706Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:08:35.649{8B6011A9-886B-6164-0B00-00000000F101}648812C:\Windows\system32\lsass.exe{8B6011A9-8033-6168-CD78-00000000F101}7044C:\Windows\system32\setspn.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000029764705Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:08:35.648{8B6011A9-8033-6168-CD78-00000000F101}7044C:\Windows\System32\setspn.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x800000000000000029764704Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:08:35.645{8B6011A9-8033-6168-CD78-00000000F101}7044C:\Windows\System32\setspn.exeC:\Windows\System32\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=B52ACA309FD6F72105951FFBA022327B,SHA256=02AB6CCE4BF0D3F075D5E982F5A4CBDB514CE7C245EA474D7846A86CD3F13202trueMicrosoft WindowsValid 734700x800000000000000029764703Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:08:35.637{8B6011A9-8033-6168-CD78-00000000F101}7044C:\Windows\System32\setspn.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 734700x800000000000000029764702Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:08:35.627{8B6011A9-8033-6168-CD78-00000000F101}7044C:\Windows\System32\setspn.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000029764701Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:08:35.626{8B6011A9-8033-6168-CD78-00000000F101}7044C:\Windows\System32\setspn.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000029764700Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:08:35.626{8B6011A9-8033-6168-CD78-00000000F101}7044C:\Windows\System32\setspn.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000029764699Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:08:35.625{8B6011A9-8033-6168-CD78-00000000F101}7044C:\Windows\System32\setspn.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000029764698Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:08:35.625{8B6011A9-8033-6168-CD78-00000000F101}7044C:\Windows\System32\setspn.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000029764697Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:08:35.625{8B6011A9-8033-6168-CD78-00000000F101}7044C:\Windows\System32\setspn.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000029764696Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:08:35.624{8B6011A9-8033-6168-CD78-00000000F101}7044C:\Windows\System32\setspn.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000029764695Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:08:35.624{8B6011A9-8033-6168-CD78-00000000F101}7044C:\Windows\System32\setspn.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000029764694Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:08:35.624{8B6011A9-8033-6168-CD78-00000000F101}7044C:\Windows\System32\setspn.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000029764693Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:08:35.624{8B6011A9-8033-6168-CD78-00000000F101}7044C:\Windows\System32\setspn.exeC:\Windows\System32\ntdsapi.dll10.0.14393.0 (rs1_release.160715-1616)Active Directory Domain Services APIMicrosoft® Windows® Operating SystemMicrosoft Corporationntdsapi.dllMD5=01AD803D409DC3C6582A9C519EB4B014,SHA256=C5A0873EC1223A67CE5980BB62F176FDF2E61BB54081CE004F479629413F27AAtrueMicrosoft WindowsValid 734700x800000000000000029764692Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:08:35.624{8B6011A9-8033-6168-CD78-00000000F101}7044C:\Windows\System32\setspn.exeC:\Windows\System32\logoncli.dll10.0.14393.3808 (rs1_release.200707-2105)Net Logon Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationLOGONCLI.DLLMD5=B5C16F0A457DB3C7695AAC9EE7E3EE1E,SHA256=88764349C57E619C6D1253BB2F4AFB27DBD141E9EB9C12D445C20F7384A4F437trueMicrosoft WindowsValid 734700x800000000000000029764691Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:08:35.624{8B6011A9-8033-6168-CD78-00000000F101}7044C:\Windows\System32\setspn.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000029764690Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:08:35.624{8B6011A9-8033-6168-CD78-00000000F101}7044C:\Windows\System32\setspn.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CAtrueMicrosoft WindowsValid 734700x800000000000000029764689Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:08:35.622{8B6011A9-8033-6168-CD78-00000000F101}7044C:\Windows\System32\setspn.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000029764688Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:08:35.622{8B6011A9-8033-6168-CD78-00000000F101}7044C:\Windows\System32\setspn.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x800000000000000029764687Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:08:35.621{8B6011A9-8033-6168-CD78-00000000F101}7044C:\Windows\System32\setspn.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 10341000x800000000000000029764686Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:08:35.619{8B6011A9-ACE9-6164-3205-00000000F101}44845180C:\Windows\system32\conhost.exe{8B6011A9-8033-6168-CD78-00000000F101}7044C:\Windows\system32\setspn.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000029764685Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:08:35.618{8B6011A9-8033-6168-CD78-00000000F101}7044C:\Windows\System32\setspn.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000029764684Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:08:35.618{8B6011A9-8033-6168-CD78-00000000F101}7044C:\Windows\System32\setspn.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000029764683Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:08:35.617{8B6011A9-8033-6168-CD78-00000000F101}7044C:\Windows\System32\setspn.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000029764682Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:08:35.617{8B6011A9-8033-6168-CD78-00000000F101}7044C:\Windows\System32\setspn.exeC:\Windows\System32\setspn.exe10.0.14393.0 (rs1_release.160715-1616)Query or reset the computer's SPN attributeMicrosoft® Windows® Operating SystemMicrosoft Corporationsetspn.exeMD5=5C184D581524245DAD7A0A02B51FD2C2,SHA256=909C2DDF06CFEB1F79004DBB5E9B9D36B693CFDFF3459E0A6A51616B2AD6D2D1trueMicrosoft WindowsValid 10341000x800000000000000029764681Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:08:35.614{8B6011A9-888A-6164-7000-00000000F101}34483736C:\Windows\system32\csrss.exe{8B6011A9-8033-6168-CD78-00000000F101}7044C:\Windows\system32\setspn.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000029764680Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:08:35.614{8B6011A9-ACE9-6164-3105-00000000F101}44165780C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{8B6011A9-8033-6168-CD78-00000000F101}7044C:\Windows\system32\setspn.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4a60023(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ee347c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ee30b7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+49ab3e5(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ea0029(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3f03a9b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ee5aaa(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ee5aaa(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ee593b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ed665b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ee3b9d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ee370f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ee347c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ee30b7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+49ab3e5(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ec8362(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ec78d4(wow64) 154100x800000000000000029764679Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:08:35.613{8B6011A9-8033-6168-CD78-00000000F101}7044C:\Windows\System32\setspn.exe10.0.14393.0 (rs1_release.160715-1616)Query or reset the computer's SPN attributeMicrosoft® Windows® Operating SystemMicrosoft Corporationsetspn.exe"C:\Windows\system32\setspn.exe" -T attackrange.local -Q */*C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{8B6011A9-8897-6164-CBF3-050000000000}0x5f3cb2HighMD5=5C184D581524245DAD7A0A02B51FD2C2,SHA256=909C2DDF06CFEB1F79004DBB5E9B9D36B693CFDFF3459E0A6A51616B2AD6D2D1{8B6011A9-ACE9-6164-3105-00000000F101}4416C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 22542200x800000000000000029764736Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:08:38.685{8B6011A9-8033-6168-CD78-00000000F101}7044win-dc-469.attackrange.local0fe80::2117:fdb0:db44:3240;::ffff:10.0.1.14;C:\Windows\System32\setspn.exe 354300x800000000000000029764734Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:08:38.670{8B6011A9-8033-6168-CD78-00000000F101}7044C:\Windows\System32\setspn.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local61225-false10.0.1.14win-dc-469.attackrange.local389ldap 354300x800000000000000029764739Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:08:38.695{8B6011A9-8033-6168-CD78-00000000F101}7044C:\Windows\System32\setspn.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local61226-false10.0.1.14win-dc-469.attackrange.local389ldap 734700x800000000000000029767245Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:09:06.572{8B6011A9-8052-6168-D878-00000000F101}2320C:\Windows\System32\setspn.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AAtrueMicrosoft WindowsValid 534500x800000000000000029767243Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:09:06.601{8B6011A9-8052-6168-D878-00000000F101}2320C:\Windows\System32\setspn.exe 734700x800000000000000029767231Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:09:06.565{8B6011A9-8052-6168-D878-00000000F101}2320C:\Windows\System32\setspn.exeC:\Windows\System32\dsparse.dll10.0.14393.0 (rs1_release.160715-1616)Active Directory Domain Services APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdsparse.dllMD5=E9B5EFC173FDD55C00B2F28B8BAC144B,SHA256=0CA602484CD0E2C67091FCD60091608BF746B1D05B353DB9805D1CAE0ED09D70trueMicrosoft WindowsValid 734700x800000000000000029767200Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:09:06.544{8B6011A9-8052-6168-D878-00000000F101}2320C:\Windows\System32\setspn.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x800000000000000029767189Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:09:06.571{8B6011A9-8052-6168-D878-00000000F101}2320C:\Windows\System32\setspn.exeC:\Windows\System32\NtlmShared.dll10.0.14393.3269 (rs1_release.190929-1234)NTLM Shared FunctionalityMicrosoft® Windows® Operating SystemMicrosoft CorporationNtlmShared.dllMD5=99F4D90B3ED53855C06F856006E770D1,SHA256=A95E5823B68182C4E32CB783AD23BC4FF60690001C70E6B5E920C12740C4C37CtrueMicrosoft WindowsValid 734700x800000000000000029767188Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:09:06.570{8B6011A9-8052-6168-D878-00000000F101}2320C:\Windows\System32\setspn.exeC:\Windows\System32\msv1_0.dll10.0.14393.3866 (rs1_release.200805-1327)Microsoft Authentication Package v1.0Microsoft® Windows® Operating SystemMicrosoft CorporationMSV1_0.DLLMD5=2A725546D9B1F9DB4974A2EA4225D0A8,SHA256=46AD1AC8C7DB7D21E8F41EFC734B855CEE566CB58F8FB825775490DC5DE89C94trueMicrosoft WindowsValid 734700x800000000000000029767174Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:09:06.543{8B6011A9-8052-6168-D878-00000000F101}2320C:\Windows\System32\setspn.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 734700x800000000000000029767162Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:09:06.560{8B6011A9-8052-6168-D878-00000000F101}2320C:\Windows\System32\setspn.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000029767161Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:09:06.559{8B6011A9-8052-6168-D878-00000000F101}2320C:\Windows\System32\setspn.exeC:\Windows\System32\FWPUCLNT.DLL10.0.14393.0 (rs1_release.160715-1616)FWP/IPsec User-Mode APIMicrosoft® Windows® Operating SystemMicrosoft Corporationfwpuclnt.dllMD5=A65FA613342B08E0F760D8B13B9C135A,SHA256=C64A1EC862188D2EE1202DB02BFBF4E2DD56780905E509012799EB57FC9A88EDtrueMicrosoft WindowsValid 734700x800000000000000029767142Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:09:06.542{8B6011A9-8052-6168-D878-00000000F101}2320C:\Windows\System32\setspn.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 12241200x800000000000000029767135Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-14 19:09:06.547{8B6011A9-8052-6168-D878-00000000F101}2320C:\Windows\system32\setspn.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000029767134Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-14 19:09:06.547{8B6011A9-8052-6168-D878-00000000F101}2320C:\Windows\system32\setspn.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000029767133Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-14 19:09:06.547{8B6011A9-8052-6168-D878-00000000F101}2320C:\Windows\system32\setspn.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 734700x800000000000000029767132Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:09:06.547{8B6011A9-8052-6168-D878-00000000F101}2320C:\Windows\System32\setspn.exeC:\Windows\System32\rasadhlp.dll10.0.14393.0 (rs1_release.160715-1616)Remote Access AutoDial HelperMicrosoft® Windows® Operating SystemMicrosoft Corporationrasadhlp.dllMD5=FAE8D0480BDD905EEA453D3A57C8D5C6,SHA256=C1531223B8201B344A6A6474CB2D9B8A8C632250A3A6F472EC5E2D7D28ADD94CtrueMicrosoft WindowsValid 12241200x800000000000000029767130Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-14 19:09:06.544{8B6011A9-8052-6168-D878-00000000F101}2320C:\Windows\system32\setspn.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000029767129Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-14 19:09:06.544{8B6011A9-8052-6168-D878-00000000F101}2320C:\Windows\system32\setspn.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000029767128Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-14 19:09:06.544{8B6011A9-8052-6168-D878-00000000F101}2320C:\Windows\system32\setspn.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 734700x800000000000000029767104Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:09:06.529{8B6011A9-8052-6168-D878-00000000F101}2320C:\Windows\System32\setspn.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 10341000x800000000000000029767102Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:09:06.532{8B6011A9-886B-6164-0B00-00000000F101}648812C:\Windows\system32\lsass.exe{8B6011A9-8052-6168-D878-00000000F101}2320C:\Windows\system32\setspn.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029767101Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:09:06.532{8B6011A9-886B-6164-0B00-00000000F101}648812C:\Windows\system32\lsass.exe{8B6011A9-8052-6168-D878-00000000F101}2320C:\Windows\system32\setspn.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000029767083Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:09:06.512{8B6011A9-8052-6168-D878-00000000F101}2320C:\Windows\System32\setspn.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CAtrueMicrosoft WindowsValid 734700x800000000000000029767075Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:09:06.528{8B6011A9-8052-6168-D878-00000000F101}2320C:\Windows\System32\setspn.exeC:\Windows\System32\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=B52ACA309FD6F72105951FFBA022327B,SHA256=02AB6CCE4BF0D3F075D5E982F5A4CBDB514CE7C245EA474D7846A86CD3F13202trueMicrosoft WindowsValid 734700x800000000000000029767073Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:09:06.521{8B6011A9-8052-6168-D878-00000000F101}2320C:\Windows\System32\setspn.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 734700x800000000000000029767055Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:09:06.510{8B6011A9-8052-6168-D878-00000000F101}2320C:\Windows\System32\setspn.exeC:\Windows\System32\logoncli.dll10.0.14393.3808 (rs1_release.200707-2105)Net Logon Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationLOGONCLI.DLLMD5=B5C16F0A457DB3C7695AAC9EE7E3EE1E,SHA256=88764349C57E619C6D1253BB2F4AFB27DBD141E9EB9C12D445C20F7384A4F437trueMicrosoft WindowsValid 734700x800000000000000029767048Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:09:06.518{8B6011A9-8052-6168-D878-00000000F101}2320C:\Windows\System32\setspn.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000029767047Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:09:06.517{8B6011A9-8052-6168-D878-00000000F101}2320C:\Windows\System32\setspn.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000029767046Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:09:06.516{8B6011A9-8052-6168-D878-00000000F101}2320C:\Windows\System32\setspn.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000029767045Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:09:06.515{8B6011A9-8052-6168-D878-00000000F101}2320C:\Windows\System32\setspn.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000029767044Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:09:06.514{8B6011A9-8052-6168-D878-00000000F101}2320C:\Windows\System32\setspn.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000029767043Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:09:06.513{8B6011A9-8052-6168-D878-00000000F101}2320C:\Windows\System32\setspn.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000029767042Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:09:06.513{8B6011A9-8052-6168-D878-00000000F101}2320C:\Windows\System32\setspn.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000029767041Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:09:06.512{8B6011A9-8052-6168-D878-00000000F101}2320C:\Windows\System32\setspn.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000029767039Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:09:06.510{8B6011A9-8052-6168-D878-00000000F101}2320C:\Windows\System32\setspn.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000029767038Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:09:06.510{8B6011A9-8052-6168-D878-00000000F101}2320C:\Windows\System32\setspn.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000029767037Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:09:06.509{8B6011A9-8052-6168-D878-00000000F101}2320C:\Windows\System32\setspn.exeC:\Windows\System32\ntdsapi.dll10.0.14393.0 (rs1_release.160715-1616)Active Directory Domain Services APIMicrosoft® Windows® Operating SystemMicrosoft Corporationntdsapi.dllMD5=01AD803D409DC3C6582A9C519EB4B014,SHA256=C5A0873EC1223A67CE5980BB62F176FDF2E61BB54081CE004F479629413F27AAtrueMicrosoft WindowsValid 734700x800000000000000029767036Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:09:06.507{8B6011A9-8052-6168-D878-00000000F101}2320C:\Windows\System32\setspn.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000029767035Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:09:06.506{8B6011A9-8052-6168-D878-00000000F101}2320C:\Windows\System32\setspn.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x800000000000000029767034Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:09:06.506{8B6011A9-8052-6168-D878-00000000F101}2320C:\Windows\System32\setspn.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 10341000x800000000000000029767033Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:09:06.504{8B6011A9-804E-6168-D778-00000000F101}47481992C:\Windows\system32\conhost.exe{8B6011A9-8052-6168-D878-00000000F101}2320C:\Windows\system32\setspn.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000029767032Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:09:06.503{8B6011A9-8052-6168-D878-00000000F101}2320C:\Windows\System32\setspn.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000029767031Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:09:06.503{8B6011A9-8052-6168-D878-00000000F101}2320C:\Windows\System32\setspn.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000029767030Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:09:06.502{8B6011A9-8052-6168-D878-00000000F101}2320C:\Windows\System32\setspn.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000029767029Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:09:06.502{8B6011A9-8052-6168-D878-00000000F101}2320C:\Windows\System32\setspn.exeC:\Windows\System32\setspn.exe10.0.14393.0 (rs1_release.160715-1616)Query or reset the computer's SPN attributeMicrosoft® Windows® Operating SystemMicrosoft Corporationsetspn.exeMD5=5C184D581524245DAD7A0A02B51FD2C2,SHA256=909C2DDF06CFEB1F79004DBB5E9B9D36B693CFDFF3459E0A6A51616B2AD6D2D1trueMicrosoft WindowsValid 10341000x800000000000000029767028Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:09:06.500{8B6011A9-888A-6164-7000-00000000F101}34483736C:\Windows\system32\csrss.exe{8B6011A9-8052-6168-D878-00000000F101}2320C:\Windows\system32\setspn.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000029767027Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:09:06.500{8B6011A9-804E-6168-D678-00000000F101}54924312C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{8B6011A9-8052-6168-D878-00000000F101}2320C:\Windows\system32\setspn.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4ce006b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+41634c4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+41630ff(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4c2b42d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4120071(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4183ae3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4165af2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4165af2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4165983(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+41566a3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4163be5(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4163757(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+41634c4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+41630ff(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4c2b42d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+41483aa(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+414791c(wow64) 154100x800000000000000029767026Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:09:06.501{8B6011A9-8052-6168-D878-00000000F101}2320C:\Windows\System32\setspn.exe10.0.14393.0 (rs1_release.160715-1616)Query or reset the computer's SPN attributeMicrosoft® Windows® Operating SystemMicrosoft Corporationsetspn.exe"C:\Windows\system32\setspn.exe" -T attackrange.local -Q */*C:\Users\Administrator\ATTACKRANGE\Administrator{8B6011A9-8897-6164-CBF3-050000000000}0x5f3cb2HighMD5=5C184D581524245DAD7A0A02B51FD2C2,SHA256=909C2DDF06CFEB1F79004DBB5E9B9D36B693CFDFF3459E0A6A51616B2AD6D2D1{8B6011A9-804E-6168-D678-00000000F101}5492C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 354300x800000000000000029767359Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:09:09.588{8B6011A9-8052-6168-D878-00000000F101}2320C:\Windows\System32\setspn.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local61236-false10.0.1.14win-dc-469.attackrange.local389ldap 354300x800000000000000029767357Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:09:09.555{8B6011A9-8052-6168-D878-00000000F101}2320C:\Windows\System32\setspn.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local61235-false10.0.1.14win-dc-469.attackrange.local389ldap 22542200x800000000000000029767356Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:09:09.593{8B6011A9-8052-6168-D878-00000000F101}2320win-dc-469.attackrange.local0fe80::2117:fdb0:db44:3240;::ffff:10.0.1.14;C:\Windows\System32\setspn.exe 22542200x800000000000000029767355Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:09:09.566{8B6011A9-8052-6168-D878-00000000F101}2320win-dc-469.attackrange.local0fe80::2117:fdb0:db44:3240;::ffff:10.0.1.14;C:\Windows\System32\setspn.exe 534500x800000000000000029767593Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:09:33.993{8B6011A9-806D-6168-D978-00000000F101}5712C:\Windows\System32\setspn.exe 734700x800000000000000029767591Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:09:33.974{8B6011A9-806D-6168-D978-00000000F101}5712C:\Windows\System32\setspn.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AAtrueMicrosoft WindowsValid 734700x800000000000000029767590Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:09:33.974{8B6011A9-806D-6168-D978-00000000F101}5712C:\Windows\System32\setspn.exeC:\Windows\System32\NtlmShared.dll10.0.14393.3269 (rs1_release.190929-1234)NTLM Shared FunctionalityMicrosoft® Windows® Operating SystemMicrosoft CorporationNtlmShared.dllMD5=99F4D90B3ED53855C06F856006E770D1,SHA256=A95E5823B68182C4E32CB783AD23BC4FF60690001C70E6B5E920C12740C4C37CtrueMicrosoft WindowsValid 734700x800000000000000029767589Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:09:33.973{8B6011A9-806D-6168-D978-00000000F101}5712C:\Windows\System32\setspn.exeC:\Windows\System32\msv1_0.dll10.0.14393.3866 (rs1_release.200805-1327)Microsoft Authentication Package v1.0Microsoft® Windows® Operating SystemMicrosoft CorporationMSV1_0.DLLMD5=2A725546D9B1F9DB4974A2EA4225D0A8,SHA256=46AD1AC8C7DB7D21E8F41EFC734B855CEE566CB58F8FB825775490DC5DE89C94trueMicrosoft WindowsValid 734700x800000000000000029767588Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:09:33.971{8B6011A9-806D-6168-D978-00000000F101}5712C:\Windows\System32\setspn.exeC:\Windows\System32\dsparse.dll10.0.14393.0 (rs1_release.160715-1616)Active Directory Domain Services APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdsparse.dllMD5=E9B5EFC173FDD55C00B2F28B8BAC144B,SHA256=0CA602484CD0E2C67091FCD60091608BF746B1D05B353DB9805D1CAE0ED09D70trueMicrosoft WindowsValid 734700x800000000000000029767587Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:09:33.966{8B6011A9-806D-6168-D978-00000000F101}5712C:\Windows\System32\setspn.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000029767586Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:09:33.964{8B6011A9-806D-6168-D978-00000000F101}5712C:\Windows\System32\setspn.exeC:\Windows\System32\FWPUCLNT.DLL10.0.14393.0 (rs1_release.160715-1616)FWP/IPsec User-Mode APIMicrosoft® Windows® Operating SystemMicrosoft Corporationfwpuclnt.dllMD5=A65FA613342B08E0F760D8B13B9C135A,SHA256=C64A1EC862188D2EE1202DB02BFBF4E2DD56780905E509012799EB57FC9A88EDtrueMicrosoft WindowsValid 12241200x800000000000000029767585Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-14 19:09:33.964{8B6011A9-806D-6168-D978-00000000F101}5712C:\Windows\system32\setspn.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000029767584Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-14 19:09:33.964{8B6011A9-806D-6168-D978-00000000F101}5712C:\Windows\system32\setspn.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000029767583Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-14 19:09:33.964{8B6011A9-806D-6168-D978-00000000F101}5712C:\Windows\system32\setspn.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 734700x800000000000000029767582Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:09:33.964{8B6011A9-806D-6168-D978-00000000F101}5712C:\Windows\System32\setspn.exeC:\Windows\System32\rasadhlp.dll10.0.14393.0 (rs1_release.160715-1616)Remote Access AutoDial HelperMicrosoft® Windows® Operating SystemMicrosoft Corporationrasadhlp.dllMD5=FAE8D0480BDD905EEA453D3A57C8D5C6,SHA256=C1531223B8201B344A6A6474CB2D9B8A8C632250A3A6F472EC5E2D7D28ADD94CtrueMicrosoft WindowsValid 12241200x800000000000000029767581Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-14 19:09:33.963{8B6011A9-806D-6168-D978-00000000F101}5712C:\Windows\system32\setspn.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000029767580Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-14 19:09:33.963{8B6011A9-806D-6168-D978-00000000F101}5712C:\Windows\system32\setspn.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000029767579Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-14 19:09:33.963{8B6011A9-806D-6168-D978-00000000F101}5712C:\Windows\system32\setspn.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 734700x800000000000000029767578Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:09:33.963{8B6011A9-806D-6168-D978-00000000F101}5712C:\Windows\System32\setspn.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x800000000000000029767577Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:09:33.962{8B6011A9-806D-6168-D978-00000000F101}5712C:\Windows\System32\setspn.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 734700x800000000000000029767576Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:09:33.961{8B6011A9-806D-6168-D978-00000000F101}5712C:\Windows\System32\setspn.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 10341000x800000000000000029767574Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:09:33.953{8B6011A9-886B-6164-0B00-00000000F101}648812C:\Windows\system32\lsass.exe{8B6011A9-806D-6168-D978-00000000F101}5712C:\Windows\system32\setspn.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029767573Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:09:33.953{8B6011A9-886B-6164-0B00-00000000F101}648812C:\Windows\system32\lsass.exe{8B6011A9-806D-6168-D978-00000000F101}5712C:\Windows\system32\setspn.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000029767572Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:09:33.952{8B6011A9-806D-6168-D978-00000000F101}5712C:\Windows\System32\setspn.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x800000000000000029767571Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:09:33.951{8B6011A9-806D-6168-D978-00000000F101}5712C:\Windows\System32\setspn.exeC:\Windows\System32\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=B52ACA309FD6F72105951FFBA022327B,SHA256=02AB6CCE4BF0D3F075D5E982F5A4CBDB514CE7C245EA474D7846A86CD3F13202trueMicrosoft WindowsValid 734700x800000000000000029767570Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:09:33.947{8B6011A9-806D-6168-D978-00000000F101}5712C:\Windows\System32\setspn.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 734700x800000000000000029767569Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:09:33.944{8B6011A9-806D-6168-D978-00000000F101}5712C:\Windows\System32\setspn.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000029767568Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:09:33.944{8B6011A9-806D-6168-D978-00000000F101}5712C:\Windows\System32\setspn.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000029767567Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:09:33.943{8B6011A9-806D-6168-D978-00000000F101}5712C:\Windows\System32\setspn.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000029767566Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:09:33.943{8B6011A9-806D-6168-D978-00000000F101}5712C:\Windows\System32\setspn.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000029767565Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:09:33.943{8B6011A9-806D-6168-D978-00000000F101}5712C:\Windows\System32\setspn.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000029767564Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:09:33.943{8B6011A9-806D-6168-D978-00000000F101}5712C:\Windows\System32\setspn.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000029767563Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:09:33.942{8B6011A9-806D-6168-D978-00000000F101}5712C:\Windows\System32\setspn.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000029767562Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:09:33.942{8B6011A9-806D-6168-D978-00000000F101}5712C:\Windows\System32\setspn.exeC:\Windows\System32\ntdsapi.dll10.0.14393.0 (rs1_release.160715-1616)Active Directory Domain Services APIMicrosoft® Windows® Operating SystemMicrosoft Corporationntdsapi.dllMD5=01AD803D409DC3C6582A9C519EB4B014,SHA256=C5A0873EC1223A67CE5980BB62F176FDF2E61BB54081CE004F479629413F27AAtrueMicrosoft WindowsValid 734700x800000000000000029767561Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:09:33.942{8B6011A9-806D-6168-D978-00000000F101}5712C:\Windows\System32\setspn.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000029767560Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:09:33.941{8B6011A9-806D-6168-D978-00000000F101}5712C:\Windows\System32\setspn.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000029767559Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:09:33.941{8B6011A9-806D-6168-D978-00000000F101}5712C:\Windows\System32\setspn.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000029767558Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:09:33.941{8B6011A9-806D-6168-D978-00000000F101}5712C:\Windows\System32\setspn.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CAtrueMicrosoft WindowsValid 734700x800000000000000029767557Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:09:33.939{8B6011A9-806D-6168-D978-00000000F101}5712C:\Windows\System32\setspn.exeC:\Windows\System32\logoncli.dll10.0.14393.3808 (rs1_release.200707-2105)Net Logon Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationLOGONCLI.DLLMD5=B5C16F0A457DB3C7695AAC9EE7E3EE1E,SHA256=88764349C57E619C6D1253BB2F4AFB27DBD141E9EB9C12D445C20F7384A4F437trueMicrosoft WindowsValid 734700x800000000000000029767556Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:09:33.939{8B6011A9-806D-6168-D978-00000000F101}5712C:\Windows\System32\setspn.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000029767555Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:09:33.937{8B6011A9-806D-6168-D978-00000000F101}5712C:\Windows\System32\setspn.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x800000000000000029767554Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:09:33.937{8B6011A9-806D-6168-D978-00000000F101}5712C:\Windows\System32\setspn.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 10341000x800000000000000029767553Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:09:33.935{8B6011A9-804E-6168-D778-00000000F101}47481992C:\Windows\system32\conhost.exe{8B6011A9-806D-6168-D978-00000000F101}5712C:\Windows\system32\setspn.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000029767552Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:09:33.934{8B6011A9-806D-6168-D978-00000000F101}5712C:\Windows\System32\setspn.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000029767551Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:09:33.934{8B6011A9-806D-6168-D978-00000000F101}5712C:\Windows\System32\setspn.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000029767550Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:09:33.931{8B6011A9-806D-6168-D978-00000000F101}5712C:\Windows\System32\setspn.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000029767549Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:09:33.931{8B6011A9-806D-6168-D978-00000000F101}5712C:\Windows\System32\setspn.exeC:\Windows\System32\setspn.exe10.0.14393.0 (rs1_release.160715-1616)Query or reset the computer's SPN attributeMicrosoft® Windows® Operating SystemMicrosoft Corporationsetspn.exeMD5=5C184D581524245DAD7A0A02B51FD2C2,SHA256=909C2DDF06CFEB1F79004DBB5E9B9D36B693CFDFF3459E0A6A51616B2AD6D2D1trueMicrosoft WindowsValid 10341000x800000000000000029767548Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:09:33.928{8B6011A9-888A-6164-7000-00000000F101}34483736C:\Windows\system32\csrss.exe{8B6011A9-806D-6168-D978-00000000F101}5712C:\Windows\system32\setspn.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000029767547Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:09:33.928{8B6011A9-804E-6168-D678-00000000F101}54924312C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{8B6011A9-806D-6168-D978-00000000F101}5712C:\Windows\system32\setspn.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4ce006b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+41634c4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+41630ff(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4c2b42d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4120071(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4183ae3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4165af2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4165af2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4165983(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+41566a3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4163be5(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4163757(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+41634c4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+41630ff(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4c2b42d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+41483aa(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+414791c(wow64) 154100x800000000000000029767546Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:09:33.928{8B6011A9-806D-6168-D978-00000000F101}5712C:\Windows\System32\setspn.exe10.0.14393.0 (rs1_release.160715-1616)Query or reset the computer's SPN attributeMicrosoft® Windows® Operating SystemMicrosoft Corporationsetspn.exe"C:\Windows\system32\setspn.exe" -T attackrange.local -Q */*C:\Users\Administrator\ATTACKRANGE\Administrator{8B6011A9-8897-6164-CBF3-050000000000}0x5f3cb2HighMD5=5C184D581524245DAD7A0A02B51FD2C2,SHA256=909C2DDF06CFEB1F79004DBB5E9B9D36B693CFDFF3459E0A6A51616B2AD6D2D1{8B6011A9-804E-6168-D678-00000000F101}5492C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 354300x800000000000000029767611Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:09:36.991{8B6011A9-806D-6168-D978-00000000F101}5712C:\Windows\System32\setspn.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local61246-false10.0.1.14win-dc-469.attackrange.local389ldap 354300x800000000000000029767609Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:09:36.975{8B6011A9-806D-6168-D978-00000000F101}5712C:\Windows\System32\setspn.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local61245-false10.0.1.14win-dc-469.attackrange.local389ldap 22542200x800000000000000029767613Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:09:36.984{8B6011A9-806D-6168-D978-00000000F101}5712win-dc-469.attackrange.local0fe80::2117:fdb0:db44:3240;::ffff:10.0.1.14;C:\Windows\System32\setspn.exe 534500x800000000000000029768381Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:10:00.926{8B6011A9-8088-6168-E178-00000000F101}5488C:\Windows\System32\setspn.exe 734700x800000000000000029768379Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:10:00.880{8B6011A9-8088-6168-E178-00000000F101}5488C:\Windows\System32\setspn.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AAtrueMicrosoft WindowsValid 734700x800000000000000029768378Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:10:00.879{8B6011A9-8088-6168-E178-00000000F101}5488C:\Windows\System32\setspn.exeC:\Windows\System32\NtlmShared.dll10.0.14393.3269 (rs1_release.190929-1234)NTLM Shared FunctionalityMicrosoft® Windows® Operating SystemMicrosoft CorporationNtlmShared.dllMD5=99F4D90B3ED53855C06F856006E770D1,SHA256=A95E5823B68182C4E32CB783AD23BC4FF60690001C70E6B5E920C12740C4C37CtrueMicrosoft WindowsValid 734700x800000000000000029768377Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:10:00.878{8B6011A9-8088-6168-E178-00000000F101}5488C:\Windows\System32\setspn.exeC:\Windows\System32\msv1_0.dll10.0.14393.3866 (rs1_release.200805-1327)Microsoft Authentication Package v1.0Microsoft® Windows® Operating SystemMicrosoft CorporationMSV1_0.DLLMD5=2A725546D9B1F9DB4974A2EA4225D0A8,SHA256=46AD1AC8C7DB7D21E8F41EFC734B855CEE566CB58F8FB825775490DC5DE89C94trueMicrosoft WindowsValid 734700x800000000000000029768376Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:10:00.874{8B6011A9-8088-6168-E178-00000000F101}5488C:\Windows\System32\setspn.exeC:\Windows\System32\dsparse.dll10.0.14393.0 (rs1_release.160715-1616)Active Directory Domain Services APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdsparse.dllMD5=E9B5EFC173FDD55C00B2F28B8BAC144B,SHA256=0CA602484CD0E2C67091FCD60091608BF746B1D05B353DB9805D1CAE0ED09D70trueMicrosoft WindowsValid 734700x800000000000000029768375Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:10:00.870{8B6011A9-8088-6168-E178-00000000F101}5488C:\Windows\System32\setspn.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000029768374Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:10:00.870{8B6011A9-8088-6168-E178-00000000F101}5488C:\Windows\System32\setspn.exeC:\Windows\System32\FWPUCLNT.DLL10.0.14393.0 (rs1_release.160715-1616)FWP/IPsec User-Mode APIMicrosoft® Windows® Operating SystemMicrosoft Corporationfwpuclnt.dllMD5=A65FA613342B08E0F760D8B13B9C135A,SHA256=C64A1EC862188D2EE1202DB02BFBF4E2DD56780905E509012799EB57FC9A88EDtrueMicrosoft WindowsValid 12241200x800000000000000029768373Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-14 19:10:00.869{8B6011A9-8088-6168-E178-00000000F101}5488C:\Windows\system32\setspn.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000029768372Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-14 19:10:00.869{8B6011A9-8088-6168-E178-00000000F101}5488C:\Windows\system32\setspn.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000029768371Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-14 19:10:00.869{8B6011A9-8088-6168-E178-00000000F101}5488C:\Windows\system32\setspn.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 734700x800000000000000029768370Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:10:00.869{8B6011A9-8088-6168-E178-00000000F101}5488C:\Windows\System32\setspn.exeC:\Windows\System32\rasadhlp.dll10.0.14393.0 (rs1_release.160715-1616)Remote Access AutoDial HelperMicrosoft® Windows® Operating SystemMicrosoft Corporationrasadhlp.dllMD5=FAE8D0480BDD905EEA453D3A57C8D5C6,SHA256=C1531223B8201B344A6A6474CB2D9B8A8C632250A3A6F472EC5E2D7D28ADD94CtrueMicrosoft WindowsValid 12241200x800000000000000029768369Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-14 19:10:00.868{8B6011A9-8088-6168-E178-00000000F101}5488C:\Windows\system32\setspn.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000029768368Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-14 19:10:00.868{8B6011A9-8088-6168-E178-00000000F101}5488C:\Windows\system32\setspn.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000029768367Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-14 19:10:00.868{8B6011A9-8088-6168-E178-00000000F101}5488C:\Windows\system32\setspn.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 734700x800000000000000029768366Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:10:00.868{8B6011A9-8088-6168-E178-00000000F101}5488C:\Windows\System32\setspn.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x800000000000000029768365Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:10:00.867{8B6011A9-8088-6168-E178-00000000F101}5488C:\Windows\System32\setspn.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 734700x800000000000000029768364Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:10:00.866{8B6011A9-8088-6168-E178-00000000F101}5488C:\Windows\System32\setspn.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 10341000x800000000000000029768362Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:10:00.860{8B6011A9-886B-6164-0B00-00000000F101}6486532C:\Windows\system32\lsass.exe{8B6011A9-8088-6168-E178-00000000F101}5488C:\Windows\system32\setspn.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029768361Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:10:00.860{8B6011A9-886B-6164-0B00-00000000F101}6486532C:\Windows\system32\lsass.exe{8B6011A9-8088-6168-E178-00000000F101}5488C:\Windows\system32\setspn.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000029768360Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:10:00.857{8B6011A9-8088-6168-E178-00000000F101}5488C:\Windows\System32\setspn.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x800000000000000029768359Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:10:00.856{8B6011A9-8088-6168-E178-00000000F101}5488C:\Windows\System32\setspn.exeC:\Windows\System32\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=B52ACA309FD6F72105951FFBA022327B,SHA256=02AB6CCE4BF0D3F075D5E982F5A4CBDB514CE7C245EA474D7846A86CD3F13202trueMicrosoft WindowsValid 734700x800000000000000029768358Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:10:00.854{8B6011A9-8088-6168-E178-00000000F101}5488C:\Windows\System32\setspn.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 734700x800000000000000029768357Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:10:00.852{8B6011A9-8088-6168-E178-00000000F101}5488C:\Windows\System32\setspn.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000029768356Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:10:00.851{8B6011A9-8088-6168-E178-00000000F101}5488C:\Windows\System32\setspn.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000029768355Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:10:00.851{8B6011A9-8088-6168-E178-00000000F101}5488C:\Windows\System32\setspn.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000029768354Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:10:00.851{8B6011A9-8088-6168-E178-00000000F101}5488C:\Windows\System32\setspn.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000029768353Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:10:00.851{8B6011A9-8088-6168-E178-00000000F101}5488C:\Windows\System32\setspn.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000029768352Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:10:00.850{8B6011A9-8088-6168-E178-00000000F101}5488C:\Windows\System32\setspn.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000029768351Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:10:00.850{8B6011A9-8088-6168-E178-00000000F101}5488C:\Windows\System32\setspn.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000029768350Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:10:00.850{8B6011A9-8088-6168-E178-00000000F101}5488C:\Windows\System32\setspn.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000029768349Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:10:00.850{8B6011A9-8088-6168-E178-00000000F101}5488C:\Windows\System32\setspn.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000029768348Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:10:00.850{8B6011A9-8088-6168-E178-00000000F101}5488C:\Windows\System32\setspn.exeC:\Windows\System32\ntdsapi.dll10.0.14393.0 (rs1_release.160715-1616)Active Directory Domain Services APIMicrosoft® Windows® Operating SystemMicrosoft Corporationntdsapi.dllMD5=01AD803D409DC3C6582A9C519EB4B014,SHA256=C5A0873EC1223A67CE5980BB62F176FDF2E61BB54081CE004F479629413F27AAtrueMicrosoft WindowsValid 734700x800000000000000029768347Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:10:00.850{8B6011A9-8088-6168-E178-00000000F101}5488C:\Windows\System32\setspn.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000029768346Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:10:00.850{8B6011A9-8088-6168-E178-00000000F101}5488C:\Windows\System32\setspn.exeC:\Windows\System32\logoncli.dll10.0.14393.3808 (rs1_release.200707-2105)Net Logon Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationLOGONCLI.DLLMD5=B5C16F0A457DB3C7695AAC9EE7E3EE1E,SHA256=88764349C57E619C6D1253BB2F4AFB27DBD141E9EB9C12D445C20F7384A4F437trueMicrosoft WindowsValid 734700x800000000000000029768345Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:10:00.849{8B6011A9-8088-6168-E178-00000000F101}5488C:\Windows\System32\setspn.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CAtrueMicrosoft WindowsValid 734700x800000000000000029768344Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:10:00.849{8B6011A9-8088-6168-E178-00000000F101}5488C:\Windows\System32\setspn.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000029768343Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:10:00.849{8B6011A9-8088-6168-E178-00000000F101}5488C:\Windows\System32\setspn.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x800000000000000029768342Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:10:00.848{8B6011A9-8088-6168-E178-00000000F101}5488C:\Windows\System32\setspn.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 10341000x800000000000000029768341Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:10:00.847{8B6011A9-804E-6168-D778-00000000F101}47481992C:\Windows\system32\conhost.exe{8B6011A9-8088-6168-E178-00000000F101}5488C:\Windows\system32\setspn.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000029768340Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:10:00.846{8B6011A9-8088-6168-E178-00000000F101}5488C:\Windows\System32\setspn.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000029768339Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:10:00.845{8B6011A9-8088-6168-E178-00000000F101}5488C:\Windows\System32\setspn.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000029768338Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:10:00.844{8B6011A9-8088-6168-E178-00000000F101}5488C:\Windows\System32\setspn.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000029768337Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:10:00.844{8B6011A9-8088-6168-E178-00000000F101}5488C:\Windows\System32\setspn.exeC:\Windows\System32\setspn.exe10.0.14393.0 (rs1_release.160715-1616)Query or reset the computer's SPN attributeMicrosoft® Windows® Operating SystemMicrosoft Corporationsetspn.exeMD5=5C184D581524245DAD7A0A02B51FD2C2,SHA256=909C2DDF06CFEB1F79004DBB5E9B9D36B693CFDFF3459E0A6A51616B2AD6D2D1trueMicrosoft WindowsValid 10341000x800000000000000029768336Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:10:00.843{8B6011A9-888A-6164-7000-00000000F101}34483876C:\Windows\system32\csrss.exe{8B6011A9-8088-6168-E178-00000000F101}5488C:\Windows\system32\setspn.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000029768335Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:10:00.842{8B6011A9-804E-6168-D678-00000000F101}54924312C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{8B6011A9-8088-6168-E178-00000000F101}5488C:\Windows\system32\setspn.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4ce006b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+41634c4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+41630ff(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4c2b42d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4120071(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4183ae3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4165af2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4165af2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4165983(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+41566a3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4163be5(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4163757(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+41634c4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+41630ff(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4c2b42d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+41483aa(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+414791c(wow64) 154100x800000000000000029768334Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:10:00.842{8B6011A9-8088-6168-E178-00000000F101}5488C:\Windows\System32\setspn.exe10.0.14393.0 (rs1_release.160715-1616)Query or reset the computer's SPN attributeMicrosoft® Windows® Operating SystemMicrosoft Corporationsetspn.exe"C:\Windows\system32\setspn.exe" -T attackrange.local -Q */*C:\Users\Administrator\ATTACKRANGE\Administrator{8B6011A9-8897-6164-CBF3-050000000000}0x5f3cb2HighMD5=5C184D581524245DAD7A0A02B51FD2C2,SHA256=909C2DDF06CFEB1F79004DBB5E9B9D36B693CFDFF3459E0A6A51616B2AD6D2D1{8B6011A9-804E-6168-D678-00000000F101}5492C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 22542200x800000000000000029768399Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:10:03.888{8B6011A9-8088-6168-E178-00000000F101}5488win-dc-469.attackrange.local0fe80::2117:fdb0:db44:3240;::ffff:10.0.1.14;C:\Windows\System32\setspn.exe 354300x800000000000000029768396Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:10:03.896{8B6011A9-8088-6168-E178-00000000F101}5488C:\Windows\System32\setspn.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local61253-false10.0.1.14win-dc-469.attackrange.local389ldap 354300x800000000000000029768394Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:10:03.877{8B6011A9-8088-6168-E178-00000000F101}5488C:\Windows\System32\setspn.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local61252-false10.0.1.14win-dc-469.attackrange.local389ldap 12241200x800000000000000029769226Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-14 19:11:26.135{8B6011A9-80DE-6168-E978-00000000F101}5260C:\Windows\system32\setspn.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000029769225Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-14 19:11:26.135{8B6011A9-80DE-6168-E978-00000000F101}5260C:\Windows\system32\setspn.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000029769224Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-14 19:11:26.135{8B6011A9-80DE-6168-E978-00000000F101}5260C:\Windows\system32\setspn.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 734700x800000000000000029769223Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:11:26.135{8B6011A9-80DE-6168-E978-00000000F101}5260C:\Windows\System32\setspn.exeC:\Windows\System32\rasadhlp.dll10.0.14393.0 (rs1_release.160715-1616)Remote Access AutoDial HelperMicrosoft® Windows® Operating SystemMicrosoft Corporationrasadhlp.dllMD5=FAE8D0480BDD905EEA453D3A57C8D5C6,SHA256=C1531223B8201B344A6A6474CB2D9B8A8C632250A3A6F472EC5E2D7D28ADD94CtrueMicrosoft WindowsValid 12241200x800000000000000029769222Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-14 19:11:26.134{8B6011A9-80DE-6168-E978-00000000F101}5260C:\Windows\system32\setspn.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000029769221Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-14 19:11:26.134{8B6011A9-80DE-6168-E978-00000000F101}5260C:\Windows\system32\setspn.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000029769220Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-14 19:11:26.134{8B6011A9-80DE-6168-E978-00000000F101}5260C:\Windows\system32\setspn.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000029769219Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-14 19:11:26.132{8B6011A9-80DE-6168-E978-00000000F101}5260C:\Windows\system32\setspn.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 734700x800000000000000029769218Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:11:26.132{8B6011A9-80DE-6168-E978-00000000F101}5260C:\Windows\System32\setspn.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x800000000000000029769217Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:11:26.131{8B6011A9-80DE-6168-E978-00000000F101}5260C:\Windows\System32\setspn.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 734700x800000000000000029769216Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:11:26.131{8B6011A9-80DE-6168-E978-00000000F101}5260C:\Windows\System32\setspn.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 10341000x800000000000000029769214Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:11:26.107{8B6011A9-886B-6164-0B00-00000000F101}648812C:\Windows\system32\lsass.exe{8B6011A9-80DE-6168-E978-00000000F101}5260C:\Windows\system32\setspn.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029769213Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:11:26.106{8B6011A9-886B-6164-0B00-00000000F101}648812C:\Windows\system32\lsass.exe{8B6011A9-80DE-6168-E978-00000000F101}5260C:\Windows\system32\setspn.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000029769212Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:11:26.105{8B6011A9-80DE-6168-E978-00000000F101}5260C:\Windows\System32\setspn.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x800000000000000029769211Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:11:26.104{8B6011A9-80DE-6168-E978-00000000F101}5260C:\Windows\System32\setspn.exeC:\Windows\System32\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=B52ACA309FD6F72105951FFBA022327B,SHA256=02AB6CCE4BF0D3F075D5E982F5A4CBDB514CE7C245EA474D7846A86CD3F13202trueMicrosoft WindowsValid 734700x800000000000000029769210Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:11:26.099{8B6011A9-80DE-6168-E978-00000000F101}5260C:\Windows\System32\setspn.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 734700x800000000000000029769209Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:11:26.098{8B6011A9-80DE-6168-E978-00000000F101}5260C:\Windows\System32\setspn.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000029769208Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:11:26.098{8B6011A9-80DE-6168-E978-00000000F101}5260C:\Windows\System32\setspn.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000029769207Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:11:26.098{8B6011A9-80DE-6168-E978-00000000F101}5260C:\Windows\System32\setspn.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000029769206Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:11:26.096{8B6011A9-80DE-6168-E978-00000000F101}5260C:\Windows\System32\setspn.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000029769205Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:11:26.096{8B6011A9-80DE-6168-E978-00000000F101}5260C:\Windows\System32\setspn.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000029769204Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:11:26.096{8B6011A9-80DE-6168-E978-00000000F101}5260C:\Windows\System32\setspn.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000029769203Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:11:26.096{8B6011A9-80DE-6168-E978-00000000F101}5260C:\Windows\System32\setspn.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000029769202Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:11:26.096{8B6011A9-80DE-6168-E978-00000000F101}5260C:\Windows\System32\setspn.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000029769201Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:11:26.096{8B6011A9-80DE-6168-E978-00000000F101}5260C:\Windows\System32\setspn.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000029769200Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:11:26.095{8B6011A9-80DE-6168-E978-00000000F101}5260C:\Windows\System32\setspn.exeC:\Windows\System32\ntdsapi.dll10.0.14393.0 (rs1_release.160715-1616)Active Directory Domain Services APIMicrosoft® Windows® Operating SystemMicrosoft Corporationntdsapi.dllMD5=01AD803D409DC3C6582A9C519EB4B014,SHA256=C5A0873EC1223A67CE5980BB62F176FDF2E61BB54081CE004F479629413F27AAtrueMicrosoft WindowsValid 734700x800000000000000029769199Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:11:26.095{8B6011A9-80DE-6168-E978-00000000F101}5260C:\Windows\System32\setspn.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000029769198Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:11:26.095{8B6011A9-80DE-6168-E978-00000000F101}5260C:\Windows\System32\setspn.exeC:\Windows\System32\logoncli.dll10.0.14393.3808 (rs1_release.200707-2105)Net Logon Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationLOGONCLI.DLLMD5=B5C16F0A457DB3C7695AAC9EE7E3EE1E,SHA256=88764349C57E619C6D1253BB2F4AFB27DBD141E9EB9C12D445C20F7384A4F437trueMicrosoft WindowsValid 734700x800000000000000029769197Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:11:26.095{8B6011A9-80DE-6168-E978-00000000F101}5260C:\Windows\System32\setspn.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CAtrueMicrosoft WindowsValid 734700x800000000000000029769196Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:11:26.094{8B6011A9-80DE-6168-E978-00000000F101}5260C:\Windows\System32\setspn.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000029769195Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:11:26.094{8B6011A9-80DE-6168-E978-00000000F101}5260C:\Windows\System32\setspn.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x800000000000000029769194Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:11:26.093{8B6011A9-80DE-6168-E978-00000000F101}5260C:\Windows\System32\setspn.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 10341000x800000000000000029769193Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:11:26.093{8B6011A9-804E-6168-D778-00000000F101}47481992C:\Windows\system32\conhost.exe{8B6011A9-80DE-6168-E978-00000000F101}5260C:\Windows\system32\setspn.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000029769192Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:11:26.092{8B6011A9-80DE-6168-E978-00000000F101}5260C:\Windows\System32\setspn.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000029769191Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:11:26.091{8B6011A9-80DE-6168-E978-00000000F101}5260C:\Windows\System32\setspn.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000029769190Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:11:26.091{8B6011A9-80DE-6168-E978-00000000F101}5260C:\Windows\System32\setspn.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000029769189Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:11:26.091{8B6011A9-80DE-6168-E978-00000000F101}5260C:\Windows\System32\setspn.exeC:\Windows\System32\setspn.exe10.0.14393.0 (rs1_release.160715-1616)Query or reset the computer's SPN attributeMicrosoft® Windows® Operating SystemMicrosoft Corporationsetspn.exeMD5=5C184D581524245DAD7A0A02B51FD2C2,SHA256=909C2DDF06CFEB1F79004DBB5E9B9D36B693CFDFF3459E0A6A51616B2AD6D2D1trueMicrosoft WindowsValid 10341000x800000000000000029769188Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:11:26.089{8B6011A9-888A-6164-7000-00000000F101}34483736C:\Windows\system32\csrss.exe{8B6011A9-80DE-6168-E978-00000000F101}5260C:\Windows\system32\setspn.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000029769187Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:11:26.089{8B6011A9-804E-6168-D678-00000000F101}54924312C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{8B6011A9-80DE-6168-E978-00000000F101}5260C:\Windows\system32\setspn.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4ce006b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+41634c4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+41630ff(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4c2b42d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4120071(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4183ae3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4165af2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4165af2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4165983(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+41566a3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4163be5(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4163757(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+41634c4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+41630ff(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4c2b42d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+41483aa(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+414791c(wow64) 154100x800000000000000029769186Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:11:26.088{8B6011A9-80DE-6168-E978-00000000F101}5260C:\Windows\System32\setspn.exe10.0.14393.0 (rs1_release.160715-1616)Query or reset the computer's SPN attributeMicrosoft® Windows® Operating SystemMicrosoft Corporationsetspn.exe"C:\Windows\system32\setspn.exe" -T medin.local -Q */*C:\Users\Administrator\ATTACKRANGE\Administrator{8B6011A9-8897-6164-CBF3-050000000000}0x5f3cb2HighMD5=5C184D581524245DAD7A0A02B51FD2C2,SHA256=909C2DDF06CFEB1F79004DBB5E9B9D36B693CFDFF3459E0A6A51616B2AD6D2D1{8B6011A9-804E-6168-D678-00000000F101}5492C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 534500x800000000000000029769253Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:11:28.485{8B6011A9-80DE-6168-E978-00000000F101}5260C:\Windows\System32\setspn.exe 734700x800000000000000029769252Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:11:28.457{8B6011A9-80DE-6168-E978-00000000F101}5260C:\Windows\System32\setspn.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AAtrueMicrosoft WindowsValid 734700x800000000000000029769251Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:11:28.456{8B6011A9-80DE-6168-E978-00000000F101}5260C:\Windows\System32\setspn.exeC:\Windows\System32\NtlmShared.dll10.0.14393.3269 (rs1_release.190929-1234)NTLM Shared FunctionalityMicrosoft® Windows® Operating SystemMicrosoft CorporationNtlmShared.dllMD5=99F4D90B3ED53855C06F856006E770D1,SHA256=A95E5823B68182C4E32CB783AD23BC4FF60690001C70E6B5E920C12740C4C37CtrueMicrosoft WindowsValid 734700x800000000000000029769250Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:11:28.456{8B6011A9-80DE-6168-E978-00000000F101}5260C:\Windows\System32\setspn.exeC:\Windows\System32\msv1_0.dll10.0.14393.3866 (rs1_release.200805-1327)Microsoft Authentication Package v1.0Microsoft® Windows® Operating SystemMicrosoft CorporationMSV1_0.DLLMD5=2A725546D9B1F9DB4974A2EA4225D0A8,SHA256=46AD1AC8C7DB7D21E8F41EFC734B855CEE566CB58F8FB825775490DC5DE89C94trueMicrosoft WindowsValid 734700x800000000000000029769249Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:11:28.454{8B6011A9-80DE-6168-E978-00000000F101}5260C:\Windows\System32\setspn.exeC:\Windows\System32\dsparse.dll10.0.14393.0 (rs1_release.160715-1616)Active Directory Domain Services APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdsparse.dllMD5=E9B5EFC173FDD55C00B2F28B8BAC144B,SHA256=0CA602484CD0E2C67091FCD60091608BF746B1D05B353DB9805D1CAE0ED09D70trueMicrosoft WindowsValid 734700x800000000000000029769248Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:11:28.452{8B6011A9-80DE-6168-E978-00000000F101}5260C:\Windows\System32\setspn.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000029769247Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:11:28.452{8B6011A9-80DE-6168-E978-00000000F101}5260C:\Windows\System32\setspn.exeC:\Windows\System32\FWPUCLNT.DLL10.0.14393.0 (rs1_release.160715-1616)FWP/IPsec User-Mode APIMicrosoft® Windows® Operating SystemMicrosoft Corporationfwpuclnt.dllMD5=A65FA613342B08E0F760D8B13B9C135A,SHA256=C64A1EC862188D2EE1202DB02BFBF4E2DD56780905E509012799EB57FC9A88EDtrueMicrosoft WindowsValid 22542200x800000000000000029769241Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:11:29.153{8B6011A9-80DE-6168-E978-00000000F101}5260_ldap._tcp.medin.local.9003-C:\Windows\System32\setspn.exe 22542200x800000000000000029769240Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:11:29.153{8B6011A9-80DE-6168-E978-00000000F101}5260_ldap._tcp.Default-First-Site-Name._sites.medin.local.9003-C:\Windows\System32\setspn.exe 354300x800000000000000029769266Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:11:31.467{8B6011A9-80DE-6168-E978-00000000F101}5260C:\Windows\System32\setspn.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local61281-false10.0.1.14win-dc-469.attackrange.local389ldap 22542200x800000000000000029769271Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:11:31.471{8B6011A9-80DE-6168-E978-00000000F101}5260win-dc-469.attackrange.local0fe80::2117:fdb0:db44:3240;::ffff:10.0.1.14;C:\Windows\System32\setspn.exe 22542200x800000000000000029769270Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:11:31.468{8B6011A9-80DE-6168-E978-00000000F101}5260medin.local9003-C:\Windows\System32\setspn.exe 534500x800000000000000029774155Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:18:13.147{8B6011A9-8275-6168-1C79-00000000F101}5548C:\Windows\System32\setspn.exe 734700x800000000000000029774153Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:18:13.089{8B6011A9-8275-6168-1C79-00000000F101}5548C:\Windows\System32\setspn.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AAtrueMicrosoft WindowsValid 734700x800000000000000029774152Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:18:13.089{8B6011A9-8275-6168-1C79-00000000F101}5548C:\Windows\System32\setspn.exeC:\Windows\System32\NtlmShared.dll10.0.14393.3269 (rs1_release.190929-1234)NTLM Shared FunctionalityMicrosoft® Windows® Operating SystemMicrosoft CorporationNtlmShared.dllMD5=99F4D90B3ED53855C06F856006E770D1,SHA256=A95E5823B68182C4E32CB783AD23BC4FF60690001C70E6B5E920C12740C4C37CtrueMicrosoft WindowsValid 734700x800000000000000029774151Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:18:13.088{8B6011A9-8275-6168-1C79-00000000F101}5548C:\Windows\System32\setspn.exeC:\Windows\System32\msv1_0.dll10.0.14393.3866 (rs1_release.200805-1327)Microsoft Authentication Package v1.0Microsoft® Windows® Operating SystemMicrosoft CorporationMSV1_0.DLLMD5=2A725546D9B1F9DB4974A2EA4225D0A8,SHA256=46AD1AC8C7DB7D21E8F41EFC734B855CEE566CB58F8FB825775490DC5DE89C94trueMicrosoft WindowsValid 734700x800000000000000029774150Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:18:13.085{8B6011A9-8275-6168-1C79-00000000F101}5548C:\Windows\System32\setspn.exeC:\Windows\System32\dsparse.dll10.0.14393.0 (rs1_release.160715-1616)Active Directory Domain Services APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdsparse.dllMD5=E9B5EFC173FDD55C00B2F28B8BAC144B,SHA256=0CA602484CD0E2C67091FCD60091608BF746B1D05B353DB9805D1CAE0ED09D70trueMicrosoft WindowsValid 734700x800000000000000029774149Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:18:13.079{8B6011A9-8275-6168-1C79-00000000F101}5548C:\Windows\System32\setspn.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000029774148Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:18:13.075{8B6011A9-8275-6168-1C79-00000000F101}5548C:\Windows\System32\setspn.exeC:\Windows\System32\FWPUCLNT.DLL10.0.14393.0 (rs1_release.160715-1616)FWP/IPsec User-Mode APIMicrosoft® Windows® Operating SystemMicrosoft Corporationfwpuclnt.dllMD5=A65FA613342B08E0F760D8B13B9C135A,SHA256=C64A1EC862188D2EE1202DB02BFBF4E2DD56780905E509012799EB57FC9A88EDtrueMicrosoft WindowsValid 12241200x800000000000000029774147Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-14 19:18:13.074{8B6011A9-8275-6168-1C79-00000000F101}5548C:\Windows\system32\setspn.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000029774146Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-14 19:18:13.074{8B6011A9-8275-6168-1C79-00000000F101}5548C:\Windows\system32\setspn.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000029774145Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-14 19:18:13.074{8B6011A9-8275-6168-1C79-00000000F101}5548C:\Windows\system32\setspn.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 734700x800000000000000029774144Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:18:13.074{8B6011A9-8275-6168-1C79-00000000F101}5548C:\Windows\System32\setspn.exeC:\Windows\System32\rasadhlp.dll10.0.14393.0 (rs1_release.160715-1616)Remote Access AutoDial HelperMicrosoft® Windows® Operating SystemMicrosoft Corporationrasadhlp.dllMD5=FAE8D0480BDD905EEA453D3A57C8D5C6,SHA256=C1531223B8201B344A6A6474CB2D9B8A8C632250A3A6F472EC5E2D7D28ADD94CtrueMicrosoft WindowsValid 12241200x800000000000000029774143Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-14 19:18:13.073{8B6011A9-8275-6168-1C79-00000000F101}5548C:\Windows\system32\setspn.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000029774142Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-14 19:18:13.073{8B6011A9-8275-6168-1C79-00000000F101}5548C:\Windows\system32\setspn.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000029774141Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-14 19:18:13.073{8B6011A9-8275-6168-1C79-00000000F101}5548C:\Windows\system32\setspn.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 734700x800000000000000029774140Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:18:13.072{8B6011A9-8275-6168-1C79-00000000F101}5548C:\Windows\System32\setspn.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x800000000000000029774139Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:18:13.071{8B6011A9-8275-6168-1C79-00000000F101}5548C:\Windows\System32\setspn.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 734700x800000000000000029774138Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:18:13.071{8B6011A9-8275-6168-1C79-00000000F101}5548C:\Windows\System32\setspn.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 10341000x800000000000000029774136Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:18:13.067{8B6011A9-886B-6164-0B00-00000000F101}6481984C:\Windows\system32\lsass.exe{8B6011A9-8275-6168-1C79-00000000F101}5548C:\Windows\system32\setspn.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029774135Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:18:13.067{8B6011A9-886B-6164-0B00-00000000F101}6481984C:\Windows\system32\lsass.exe{8B6011A9-8275-6168-1C79-00000000F101}5548C:\Windows\system32\setspn.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000029774134Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:18:13.067{8B6011A9-8275-6168-1C79-00000000F101}5548C:\Windows\System32\setspn.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x800000000000000029774133Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:18:13.066{8B6011A9-8275-6168-1C79-00000000F101}5548C:\Windows\System32\setspn.exeC:\Windows\System32\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=B52ACA309FD6F72105951FFBA022327B,SHA256=02AB6CCE4BF0D3F075D5E982F5A4CBDB514CE7C245EA474D7846A86CD3F13202trueMicrosoft WindowsValid 734700x800000000000000029774132Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:18:13.062{8B6011A9-8275-6168-1C79-00000000F101}5548C:\Windows\System32\setspn.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 734700x800000000000000029774131Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:18:13.058{8B6011A9-8275-6168-1C79-00000000F101}5548C:\Windows\System32\setspn.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000029774130Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:18:13.058{8B6011A9-8275-6168-1C79-00000000F101}5548C:\Windows\System32\setspn.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000029774129Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:18:13.056{8B6011A9-8275-6168-1C79-00000000F101}5548C:\Windows\System32\setspn.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000029774128Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:18:13.056{8B6011A9-8275-6168-1C79-00000000F101}5548C:\Windows\System32\setspn.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000029774127Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:18:13.054{8B6011A9-8275-6168-1C79-00000000F101}5548C:\Windows\System32\setspn.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000029774126Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:18:13.054{8B6011A9-8275-6168-1C79-00000000F101}5548C:\Windows\System32\setspn.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000029774125Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:18:13.050{8B6011A9-8275-6168-1C79-00000000F101}5548C:\Windows\System32\setspn.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000029774124Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:18:13.050{8B6011A9-8275-6168-1C79-00000000F101}5548C:\Windows\System32\setspn.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000029774123Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:18:13.050{8B6011A9-8275-6168-1C79-00000000F101}5548C:\Windows\System32\setspn.exeC:\Windows\System32\logoncli.dll10.0.14393.3808 (rs1_release.200707-2105)Net Logon Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationLOGONCLI.DLLMD5=B5C16F0A457DB3C7695AAC9EE7E3EE1E,SHA256=88764349C57E619C6D1253BB2F4AFB27DBD141E9EB9C12D445C20F7384A4F437trueMicrosoft WindowsValid 734700x800000000000000029774122Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:18:13.050{8B6011A9-8275-6168-1C79-00000000F101}5548C:\Windows\System32\setspn.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000029774121Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:18:13.050{8B6011A9-8275-6168-1C79-00000000F101}5548C:\Windows\System32\setspn.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000029774120Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:18:13.049{8B6011A9-8275-6168-1C79-00000000F101}5548C:\Windows\System32\setspn.exeC:\Windows\System32\ntdsapi.dll10.0.14393.0 (rs1_release.160715-1616)Active Directory Domain Services APIMicrosoft® Windows® Operating SystemMicrosoft Corporationntdsapi.dllMD5=01AD803D409DC3C6582A9C519EB4B014,SHA256=C5A0873EC1223A67CE5980BB62F176FDF2E61BB54081CE004F479629413F27AAtrueMicrosoft WindowsValid 734700x800000000000000029774119Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:18:13.048{8B6011A9-8275-6168-1C79-00000000F101}5548C:\Windows\System32\setspn.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CAtrueMicrosoft WindowsValid 734700x800000000000000029774118Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:18:13.048{8B6011A9-8275-6168-1C79-00000000F101}5548C:\Windows\System32\setspn.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000029774117Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:18:13.048{8B6011A9-8275-6168-1C79-00000000F101}5548C:\Windows\System32\setspn.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x800000000000000029774116Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:18:13.047{8B6011A9-8275-6168-1C79-00000000F101}5548C:\Windows\System32\setspn.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 10341000x800000000000000029774115Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:18:13.046{8B6011A9-804E-6168-D778-00000000F101}47481992C:\Windows\system32\conhost.exe{8B6011A9-8275-6168-1C79-00000000F101}5548C:\Windows\system32\setspn.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000029774114Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:18:13.045{8B6011A9-8275-6168-1C79-00000000F101}5548C:\Windows\System32\setspn.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000029774113Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:18:13.045{8B6011A9-8275-6168-1C79-00000000F101}5548C:\Windows\System32\setspn.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000029774112Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:18:13.044{8B6011A9-8275-6168-1C79-00000000F101}5548C:\Windows\System32\setspn.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000029774111Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:18:13.043{8B6011A9-8275-6168-1C79-00000000F101}5548C:\Windows\System32\setspn.exeC:\Windows\System32\setspn.exe10.0.14393.0 (rs1_release.160715-1616)Query or reset the computer's SPN attributeMicrosoft® Windows® Operating SystemMicrosoft Corporationsetspn.exeMD5=5C184D581524245DAD7A0A02B51FD2C2,SHA256=909C2DDF06CFEB1F79004DBB5E9B9D36B693CFDFF3459E0A6A51616B2AD6D2D1trueMicrosoft WindowsValid 10341000x800000000000000029774110Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:18:13.042{8B6011A9-888A-6164-7000-00000000F101}34483736C:\Windows\system32\csrss.exe{8B6011A9-8275-6168-1C79-00000000F101}5548C:\Windows\system32\setspn.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000029774109Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:18:13.042{8B6011A9-804E-6168-D678-00000000F101}54924312C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{8B6011A9-8275-6168-1C79-00000000F101}5548C:\Windows\system32\setspn.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4ce006b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+41634c4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+41630ff(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4c2b42d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4120071(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4183ae3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4165af2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4165af2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4165983(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+41566a3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4163be5(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4163757(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+41634c4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+41630ff(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4c2b42d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+41483aa(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+414791c(wow64) 154100x800000000000000029774108Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:18:13.043{8B6011A9-8275-6168-1C79-00000000F101}5548C:\Windows\System32\setspn.exe10.0.14393.0 (rs1_release.160715-1616)Query or reset the computer's SPN attributeMicrosoft® Windows® Operating SystemMicrosoft Corporationsetspn.exe"C:\Windows\system32\setspn.exe" -T attackrange.local -Q */*C:\Users\Administrator\ATTACKRANGE\Administrator{8B6011A9-8897-6164-CBF3-050000000000}0x5f3cb2HighMD5=5C184D581524245DAD7A0A02B51FD2C2,SHA256=909C2DDF06CFEB1F79004DBB5E9B9D36B693CFDFF3459E0A6A51616B2AD6D2D1{8B6011A9-804E-6168-D678-00000000F101}5492C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 534500x800000000000000029774785Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:19:09.696{8B6011A9-82AD-6168-2479-00000000F101}3880C:\Windows\System32\setspn.exe 734700x800000000000000029774784Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:19:09.675{8B6011A9-82AD-6168-2479-00000000F101}3880C:\Windows\System32\setspn.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 734700x800000000000000029774783Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:19:09.673{8B6011A9-82AD-6168-2479-00000000F101}3880C:\Windows\System32\setspn.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000029774782Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:19:09.671{8B6011A9-82AD-6168-2479-00000000F101}3880C:\Windows\System32\setspn.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000029774781Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:19:09.670{8B6011A9-82AD-6168-2479-00000000F101}3880C:\Windows\System32\setspn.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000029774780Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:19:09.670{8B6011A9-82AD-6168-2479-00000000F101}3880C:\Windows\System32\setspn.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000029774779Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:19:09.669{8B6011A9-82AD-6168-2479-00000000F101}3880C:\Windows\System32\setspn.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000029774778Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:19:09.669{8B6011A9-82AD-6168-2479-00000000F101}3880C:\Windows\System32\setspn.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000029774777Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:19:09.669{8B6011A9-82AD-6168-2479-00000000F101}3880C:\Windows\System32\setspn.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000029774776Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:19:09.669{8B6011A9-82AD-6168-2479-00000000F101}3880C:\Windows\System32\setspn.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000029774775Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:19:09.667{8B6011A9-82AD-6168-2479-00000000F101}3880C:\Windows\System32\setspn.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000029774774Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:19:09.666{8B6011A9-82AD-6168-2479-00000000F101}3880C:\Windows\System32\setspn.exeC:\Windows\System32\ntdsapi.dll10.0.14393.0 (rs1_release.160715-1616)Active Directory Domain Services APIMicrosoft® Windows® Operating SystemMicrosoft Corporationntdsapi.dllMD5=01AD803D409DC3C6582A9C519EB4B014,SHA256=C5A0873EC1223A67CE5980BB62F176FDF2E61BB54081CE004F479629413F27AAtrueMicrosoft WindowsValid 734700x800000000000000029774773Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:19:09.666{8B6011A9-82AD-6168-2479-00000000F101}3880C:\Windows\System32\setspn.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CAtrueMicrosoft WindowsValid 734700x800000000000000029774772Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:19:09.666{8B6011A9-82AD-6168-2479-00000000F101}3880C:\Windows\System32\setspn.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000029774771Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:19:09.665{8B6011A9-82AD-6168-2479-00000000F101}3880C:\Windows\System32\setspn.exeC:\Windows\System32\logoncli.dll10.0.14393.3808 (rs1_release.200707-2105)Net Logon Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationLOGONCLI.DLLMD5=B5C16F0A457DB3C7695AAC9EE7E3EE1E,SHA256=88764349C57E619C6D1253BB2F4AFB27DBD141E9EB9C12D445C20F7384A4F437trueMicrosoft WindowsValid 734700x800000000000000029774770Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:19:09.664{8B6011A9-82AD-6168-2479-00000000F101}3880C:\Windows\System32\setspn.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000029774769Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:19:09.664{8B6011A9-82AD-6168-2479-00000000F101}3880C:\Windows\System32\setspn.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x800000000000000029774768Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:19:09.664{8B6011A9-82AD-6168-2479-00000000F101}3880C:\Windows\System32\setspn.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000029774767Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:19:09.662{8B6011A9-82AD-6168-2479-00000000F101}3880C:\Windows\System32\setspn.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 10341000x800000000000000029774766Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:19:09.663{8B6011A9-804E-6168-D778-00000000F101}47481992C:\Windows\system32\conhost.exe{8B6011A9-82AD-6168-2479-00000000F101}3880C:\Windows\system32\setspn.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000029774765Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:19:09.662{8B6011A9-82AD-6168-2479-00000000F101}3880C:\Windows\System32\setspn.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000029774764Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:19:09.661{8B6011A9-82AD-6168-2479-00000000F101}3880C:\Windows\System32\setspn.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000029774763Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:19:09.660{8B6011A9-82AD-6168-2479-00000000F101}3880C:\Windows\System32\setspn.exeC:\Windows\System32\setspn.exe10.0.14393.0 (rs1_release.160715-1616)Query or reset the computer's SPN attributeMicrosoft® Windows® Operating SystemMicrosoft Corporationsetspn.exeMD5=5C184D581524245DAD7A0A02B51FD2C2,SHA256=909C2DDF06CFEB1F79004DBB5E9B9D36B693CFDFF3459E0A6A51616B2AD6D2D1trueMicrosoft WindowsValid 10341000x800000000000000029774762Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:19:09.659{8B6011A9-888A-6164-7000-00000000F101}34483736C:\Windows\system32\csrss.exe{8B6011A9-82AD-6168-2479-00000000F101}3880C:\Windows\system32\setspn.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000029774761Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:19:09.658{8B6011A9-804E-6168-D678-00000000F101}54924312C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{8B6011A9-82AD-6168-2479-00000000F101}3880C:\Windows\system32\setspn.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4ce006b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+41634c4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+41630ff(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4c2b42d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4120071(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4183ae3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4165af2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4165af2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4165983(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+41566a3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4163be5(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4163757(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+41634c4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+41630ff(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4c2b42d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+41483aa(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+414791c(wow64) 154100x800000000000000029774760Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:19:09.658{8B6011A9-82AD-6168-2479-00000000F101}3880C:\Windows\System32\setspn.exe10.0.14393.0 (rs1_release.160715-1616)Query or reset the computer's SPN attributeMicrosoft® Windows® Operating SystemMicrosoft Corporationsetspn.exe"C:\Windows\system32\setspn.exe"C:\Users\Administrator\ATTACKRANGE\Administrator{8B6011A9-8897-6164-CBF3-050000000000}0x5f3cb2HighMD5=5C184D581524245DAD7A0A02B51FD2C2,SHA256=909C2DDF06CFEB1F79004DBB5E9B9D36B693CFDFF3459E0A6A51616B2AD6D2D1{8B6011A9-804E-6168-D678-00000000F101}5492C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 534500x800000000000000029784563Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:33:16.397{8B6011A9-85FC-6168-8C79-00000000F101}6176C:\Windows\System32\setspn.exe 734700x800000000000000029784560Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:33:16.383{8B6011A9-85FC-6168-8C79-00000000F101}6176C:\Windows\System32\setspn.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AAtrueMicrosoft WindowsValid 734700x800000000000000029784559Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:33:16.383{8B6011A9-85FC-6168-8C79-00000000F101}6176C:\Windows\System32\setspn.exeC:\Windows\System32\NtlmShared.dll10.0.14393.3269 (rs1_release.190929-1234)NTLM Shared FunctionalityMicrosoft® Windows® Operating SystemMicrosoft CorporationNtlmShared.dllMD5=99F4D90B3ED53855C06F856006E770D1,SHA256=A95E5823B68182C4E32CB783AD23BC4FF60690001C70E6B5E920C12740C4C37CtrueMicrosoft WindowsValid 734700x800000000000000029784558Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:33:16.383{8B6011A9-85FC-6168-8C79-00000000F101}6176C:\Windows\System32\setspn.exeC:\Windows\System32\msv1_0.dll10.0.14393.3866 (rs1_release.200805-1327)Microsoft Authentication Package v1.0Microsoft® Windows® Operating SystemMicrosoft CorporationMSV1_0.DLLMD5=2A725546D9B1F9DB4974A2EA4225D0A8,SHA256=46AD1AC8C7DB7D21E8F41EFC734B855CEE566CB58F8FB825775490DC5DE89C94trueMicrosoft WindowsValid 734700x800000000000000029784557Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:33:16.381{8B6011A9-85FC-6168-8C79-00000000F101}6176C:\Windows\System32\setspn.exeC:\Windows\System32\dsparse.dll10.0.14393.0 (rs1_release.160715-1616)Active Directory Domain Services APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdsparse.dllMD5=E9B5EFC173FDD55C00B2F28B8BAC144B,SHA256=0CA602484CD0E2C67091FCD60091608BF746B1D05B353DB9805D1CAE0ED09D70trueMicrosoft WindowsValid 734700x800000000000000029784556Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:33:16.378{8B6011A9-85FC-6168-8C79-00000000F101}6176C:\Windows\System32\setspn.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000029784555Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:33:16.377{8B6011A9-85FC-6168-8C79-00000000F101}6176C:\Windows\System32\setspn.exeC:\Windows\System32\FWPUCLNT.DLL10.0.14393.0 (rs1_release.160715-1616)FWP/IPsec User-Mode APIMicrosoft® Windows® Operating SystemMicrosoft Corporationfwpuclnt.dllMD5=A65FA613342B08E0F760D8B13B9C135A,SHA256=C64A1EC862188D2EE1202DB02BFBF4E2DD56780905E509012799EB57FC9A88EDtrueMicrosoft WindowsValid 12241200x800000000000000029784554Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-14 19:33:16.377{8B6011A9-85FC-6168-8C79-00000000F101}6176C:\Windows\system32\setspn.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000029784553Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-14 19:33:16.377{8B6011A9-85FC-6168-8C79-00000000F101}6176C:\Windows\system32\setspn.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000029784552Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-14 19:33:16.377{8B6011A9-85FC-6168-8C79-00000000F101}6176C:\Windows\system32\setspn.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 734700x800000000000000029784551Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:33:16.376{8B6011A9-85FC-6168-8C79-00000000F101}6176C:\Windows\System32\setspn.exeC:\Windows\System32\rasadhlp.dll10.0.14393.0 (rs1_release.160715-1616)Remote Access AutoDial HelperMicrosoft® Windows® Operating SystemMicrosoft Corporationrasadhlp.dllMD5=FAE8D0480BDD905EEA453D3A57C8D5C6,SHA256=C1531223B8201B344A6A6474CB2D9B8A8C632250A3A6F472EC5E2D7D28ADD94CtrueMicrosoft WindowsValid 12241200x800000000000000029784550Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-14 19:33:16.376{8B6011A9-85FC-6168-8C79-00000000F101}6176C:\Windows\system32\setspn.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000029784549Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-14 19:33:16.376{8B6011A9-85FC-6168-8C79-00000000F101}6176C:\Windows\system32\setspn.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000029784548Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-14 19:33:16.376{8B6011A9-85FC-6168-8C79-00000000F101}6176C:\Windows\system32\setspn.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 734700x800000000000000029784547Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:33:16.375{8B6011A9-85FC-6168-8C79-00000000F101}6176C:\Windows\System32\setspn.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x800000000000000029784546Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:33:16.374{8B6011A9-85FC-6168-8C79-00000000F101}6176C:\Windows\System32\setspn.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 734700x800000000000000029784545Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:33:16.374{8B6011A9-85FC-6168-8C79-00000000F101}6176C:\Windows\System32\setspn.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 10341000x800000000000000029784543Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:33:16.371{8B6011A9-886B-6164-0B00-00000000F101}648812C:\Windows\system32\lsass.exe{8B6011A9-85FC-6168-8C79-00000000F101}6176C:\Windows\system32\setspn.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029784542Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:33:16.370{8B6011A9-886B-6164-0B00-00000000F101}648812C:\Windows\system32\lsass.exe{8B6011A9-85FC-6168-8C79-00000000F101}6176C:\Windows\system32\setspn.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000029784541Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:33:16.368{8B6011A9-85FC-6168-8C79-00000000F101}6176C:\Windows\System32\setspn.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x800000000000000029784540Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:33:16.368{8B6011A9-85FC-6168-8C79-00000000F101}6176C:\Windows\System32\setspn.exeC:\Windows\System32\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=B52ACA309FD6F72105951FFBA022327B,SHA256=02AB6CCE4BF0D3F075D5E982F5A4CBDB514CE7C245EA474D7846A86CD3F13202trueMicrosoft WindowsValid 734700x800000000000000029784539Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:33:16.364{8B6011A9-85FC-6168-8C79-00000000F101}6176C:\Windows\System32\setspn.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 734700x800000000000000029784538Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:33:16.361{8B6011A9-85FC-6168-8C79-00000000F101}6176C:\Windows\System32\setspn.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000029784537Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:33:16.361{8B6011A9-85FC-6168-8C79-00000000F101}6176C:\Windows\System32\setspn.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000029784536Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:33:16.361{8B6011A9-85FC-6168-8C79-00000000F101}6176C:\Windows\System32\setspn.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000029784535Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:33:16.360{8B6011A9-85FC-6168-8C79-00000000F101}6176C:\Windows\System32\setspn.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000029784534Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:33:16.360{8B6011A9-85FC-6168-8C79-00000000F101}6176C:\Windows\System32\setspn.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000029784533Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:33:16.360{8B6011A9-85FC-6168-8C79-00000000F101}6176C:\Windows\System32\setspn.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000029784532Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:33:16.360{8B6011A9-85FC-6168-8C79-00000000F101}6176C:\Windows\System32\setspn.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000029784531Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:33:16.360{8B6011A9-85FC-6168-8C79-00000000F101}6176C:\Windows\System32\setspn.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000029784530Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:33:16.358{8B6011A9-85FC-6168-8C79-00000000F101}6176C:\Windows\System32\setspn.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000029784529Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:33:16.358{8B6011A9-85FC-6168-8C79-00000000F101}6176C:\Windows\System32\setspn.exeC:\Windows\System32\logoncli.dll10.0.14393.3808 (rs1_release.200707-2105)Net Logon Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationLOGONCLI.DLLMD5=B5C16F0A457DB3C7695AAC9EE7E3EE1E,SHA256=88764349C57E619C6D1253BB2F4AFB27DBD141E9EB9C12D445C20F7384A4F437trueMicrosoft WindowsValid 734700x800000000000000029784528Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:33:16.358{8B6011A9-85FC-6168-8C79-00000000F101}6176C:\Windows\System32\setspn.exeC:\Windows\System32\ntdsapi.dll10.0.14393.0 (rs1_release.160715-1616)Active Directory Domain Services APIMicrosoft® Windows® Operating SystemMicrosoft Corporationntdsapi.dllMD5=01AD803D409DC3C6582A9C519EB4B014,SHA256=C5A0873EC1223A67CE5980BB62F176FDF2E61BB54081CE004F479629413F27AAtrueMicrosoft WindowsValid 734700x800000000000000029784527Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:33:16.358{8B6011A9-85FC-6168-8C79-00000000F101}6176C:\Windows\System32\setspn.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000029784526Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:33:16.358{8B6011A9-85FC-6168-8C79-00000000F101}6176C:\Windows\System32\setspn.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CAtrueMicrosoft WindowsValid 734700x800000000000000029784525Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:33:16.357{8B6011A9-85FC-6168-8C79-00000000F101}6176C:\Windows\System32\setspn.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000029784523Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:33:16.356{8B6011A9-85FC-6168-8C79-00000000F101}6176C:\Windows\System32\setspn.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x800000000000000029784516Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:33:16.355{8B6011A9-85FC-6168-8C79-00000000F101}6176C:\Windows\System32\setspn.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 10341000x800000000000000029784496Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:33:16.353{8B6011A9-804E-6168-D778-00000000F101}47481992C:\Windows\system32\conhost.exe{8B6011A9-85FC-6168-8C79-00000000F101}6176C:\Windows\system32\setspn.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000029784494Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:33:16.352{8B6011A9-85FC-6168-8C79-00000000F101}6176C:\Windows\System32\setspn.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000029784493Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:33:16.352{8B6011A9-85FC-6168-8C79-00000000F101}6176C:\Windows\System32\setspn.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000029784491Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:33:16.351{8B6011A9-85FC-6168-8C79-00000000F101}6176C:\Windows\System32\setspn.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000029784490Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:33:16.350{8B6011A9-85FC-6168-8C79-00000000F101}6176C:\Windows\System32\setspn.exeC:\Windows\System32\setspn.exe10.0.14393.0 (rs1_release.160715-1616)Query or reset the computer's SPN attributeMicrosoft® Windows® Operating SystemMicrosoft Corporationsetspn.exeMD5=5C184D581524245DAD7A0A02B51FD2C2,SHA256=909C2DDF06CFEB1F79004DBB5E9B9D36B693CFDFF3459E0A6A51616B2AD6D2D1trueMicrosoft WindowsValid 10341000x800000000000000029784489Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:33:16.347{8B6011A9-888A-6164-7000-00000000F101}34483876C:\Windows\system32\csrss.exe{8B6011A9-85FC-6168-8C79-00000000F101}6176C:\Windows\system32\setspn.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000029784488Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:33:16.347{8B6011A9-804E-6168-D678-00000000F101}54924312C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{8B6011A9-85FC-6168-8C79-00000000F101}6176C:\Windows\system32\setspn.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4ce006b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+41634c4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+41630ff(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4c2b42d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4120071(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4183ae3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4165af2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4165af2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4165983(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+41566a3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4163be5(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4163757(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+41634c4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+41630ff(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4c2b42d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+41483aa(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+414791c(wow64) 154100x800000000000000029784487Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:33:16.345{8B6011A9-85FC-6168-8C79-00000000F101}6176C:\Windows\System32\setspn.exe10.0.14393.0 (rs1_release.160715-1616)Query or reset the computer's SPN attributeMicrosoft® Windows® Operating SystemMicrosoft Corporationsetspn.exe"C:\Windows\system32\setspn.exe" -s smb/purplehaze.offense:445 atomicC:\Users\Administrator\ATTACKRANGE\Administrator{8B6011A9-8897-6164-CBF3-050000000000}0x5f3cb2HighMD5=5C184D581524245DAD7A0A02B51FD2C2,SHA256=909C2DDF06CFEB1F79004DBB5E9B9D36B693CFDFF3459E0A6A51616B2AD6D2D1{8B6011A9-804E-6168-D678-00000000F101}5492C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 534500x800000000000000029784706Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:33:30.286{8B6011A9-860A-6168-8D79-00000000F101}3800C:\Windows\System32\setspn.exe 734700x800000000000000029784705Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:33:30.274{8B6011A9-860A-6168-8D79-00000000F101}3800C:\Windows\System32\setspn.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 734700x800000000000000029784704Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:33:30.271{8B6011A9-860A-6168-8D79-00000000F101}3800C:\Windows\System32\setspn.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000029784703Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:33:30.271{8B6011A9-860A-6168-8D79-00000000F101}3800C:\Windows\System32\setspn.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000029784702Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:33:30.271{8B6011A9-860A-6168-8D79-00000000F101}3800C:\Windows\System32\setspn.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000029784701Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:33:30.271{8B6011A9-860A-6168-8D79-00000000F101}3800C:\Windows\System32\setspn.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000029784700Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:33:30.270{8B6011A9-860A-6168-8D79-00000000F101}3800C:\Windows\System32\setspn.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000029784699Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:33:30.270{8B6011A9-860A-6168-8D79-00000000F101}3800C:\Windows\System32\setspn.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000029784698Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:33:30.270{8B6011A9-860A-6168-8D79-00000000F101}3800C:\Windows\System32\setspn.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000029784697Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:33:30.269{8B6011A9-860A-6168-8D79-00000000F101}3800C:\Windows\System32\setspn.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000029784696Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:33:30.269{8B6011A9-860A-6168-8D79-00000000F101}3800C:\Windows\System32\setspn.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000029784695Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:33:30.269{8B6011A9-860A-6168-8D79-00000000F101}3800C:\Windows\System32\setspn.exeC:\Windows\System32\ntdsapi.dll10.0.14393.0 (rs1_release.160715-1616)Active Directory Domain Services APIMicrosoft® Windows® Operating SystemMicrosoft Corporationntdsapi.dllMD5=01AD803D409DC3C6582A9C519EB4B014,SHA256=C5A0873EC1223A67CE5980BB62F176FDF2E61BB54081CE004F479629413F27AAtrueMicrosoft WindowsValid 734700x800000000000000029784694Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:33:30.269{8B6011A9-860A-6168-8D79-00000000F101}3800C:\Windows\System32\setspn.exeC:\Windows\System32\logoncli.dll10.0.14393.3808 (rs1_release.200707-2105)Net Logon Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationLOGONCLI.DLLMD5=B5C16F0A457DB3C7695AAC9EE7E3EE1E,SHA256=88764349C57E619C6D1253BB2F4AFB27DBD141E9EB9C12D445C20F7384A4F437trueMicrosoft WindowsValid 734700x800000000000000029784693Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:33:30.267{8B6011A9-860A-6168-8D79-00000000F101}3800C:\Windows\System32\setspn.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000029784692Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:33:30.266{8B6011A9-860A-6168-8D79-00000000F101}3800C:\Windows\System32\setspn.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CAtrueMicrosoft WindowsValid 734700x800000000000000029784691Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:33:30.266{8B6011A9-860A-6168-8D79-00000000F101}3800C:\Windows\System32\setspn.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000029784690Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:33:30.266{8B6011A9-860A-6168-8D79-00000000F101}3800C:\Windows\System32\setspn.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x800000000000000029784689Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:33:30.265{8B6011A9-860A-6168-8D79-00000000F101}3800C:\Windows\System32\setspn.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 10341000x800000000000000029784688Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:33:30.264{8B6011A9-804E-6168-D778-00000000F101}47481992C:\Windows\system32\conhost.exe{8B6011A9-860A-6168-8D79-00000000F101}3800C:\Windows\system32\setspn.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000029784687Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:33:30.264{8B6011A9-860A-6168-8D79-00000000F101}3800C:\Windows\System32\setspn.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000029784686Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:33:30.264{8B6011A9-860A-6168-8D79-00000000F101}3800C:\Windows\System32\setspn.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000029784685Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:33:30.261{8B6011A9-860A-6168-8D79-00000000F101}3800C:\Windows\System32\setspn.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000029784684Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:33:30.260{8B6011A9-860A-6168-8D79-00000000F101}3800C:\Windows\System32\setspn.exeC:\Windows\System32\setspn.exe10.0.14393.0 (rs1_release.160715-1616)Query or reset the computer's SPN attributeMicrosoft® Windows® Operating SystemMicrosoft Corporationsetspn.exeMD5=5C184D581524245DAD7A0A02B51FD2C2,SHA256=909C2DDF06CFEB1F79004DBB5E9B9D36B693CFDFF3459E0A6A51616B2AD6D2D1trueMicrosoft WindowsValid 10341000x800000000000000029784683Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:33:30.259{8B6011A9-888A-6164-7000-00000000F101}34483736C:\Windows\system32\csrss.exe{8B6011A9-860A-6168-8D79-00000000F101}3800C:\Windows\system32\setspn.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000029784682Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:33:30.258{8B6011A9-804E-6168-D678-00000000F101}54924312C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{8B6011A9-860A-6168-8D79-00000000F101}3800C:\Windows\system32\setspn.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4ce006b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+41634c4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+41630ff(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4c2b42d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4120071(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4183ae3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4165af2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4165af2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4165983(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+41566a3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4163be5(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4163757(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+41634c4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+41630ff(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4c2b42d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+41483aa(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+414791c(wow64) 154100x800000000000000029784681Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:33:30.259{8B6011A9-860A-6168-8D79-00000000F101}3800C:\Windows\System32\setspn.exe10.0.14393.0 (rs1_release.160715-1616)Query or reset the computer's SPN attributeMicrosoft® Windows® Operating SystemMicrosoft Corporationsetspn.exe"C:\Windows\system32\setspn.exe"C:\Users\Administrator\ATTACKRANGE\Administrator{8B6011A9-8897-6164-CBF3-050000000000}0x5f3cb2HighMD5=5C184D581524245DAD7A0A02B51FD2C2,SHA256=909C2DDF06CFEB1F79004DBB5E9B9D36B693CFDFF3459E0A6A51616B2AD6D2D1{8B6011A9-804E-6168-D678-00000000F101}5492C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 534500x800000000000000029792472Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:45:31.387{8B6011A9-88DB-6168-E279-00000000F101}5624C:\Windows\System32\setspn.exe 734700x800000000000000029792471Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:45:31.384{8B6011A9-88DB-6168-E279-00000000F101}5624C:\Windows\System32\setspn.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AAtrueMicrosoft WindowsValid 734700x800000000000000029792470Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:45:31.384{8B6011A9-88DB-6168-E279-00000000F101}5624C:\Windows\System32\setspn.exeC:\Windows\System32\NtlmShared.dll10.0.14393.3269 (rs1_release.190929-1234)NTLM Shared FunctionalityMicrosoft® Windows® Operating SystemMicrosoft CorporationNtlmShared.dllMD5=99F4D90B3ED53855C06F856006E770D1,SHA256=A95E5823B68182C4E32CB783AD23BC4FF60690001C70E6B5E920C12740C4C37CtrueMicrosoft WindowsValid 734700x800000000000000029792469Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:45:31.383{8B6011A9-88DB-6168-E279-00000000F101}5624C:\Windows\System32\setspn.exeC:\Windows\System32\msv1_0.dll10.0.14393.3866 (rs1_release.200805-1327)Microsoft Authentication Package v1.0Microsoft® Windows® Operating SystemMicrosoft CorporationMSV1_0.DLLMD5=2A725546D9B1F9DB4974A2EA4225D0A8,SHA256=46AD1AC8C7DB7D21E8F41EFC734B855CEE566CB58F8FB825775490DC5DE89C94trueMicrosoft WindowsValid 734700x800000000000000029792468Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:45:31.382{8B6011A9-88DB-6168-E279-00000000F101}5624C:\Windows\System32\setspn.exeC:\Windows\System32\dsparse.dll10.0.14393.0 (rs1_release.160715-1616)Active Directory Domain Services APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdsparse.dllMD5=E9B5EFC173FDD55C00B2F28B8BAC144B,SHA256=0CA602484CD0E2C67091FCD60091608BF746B1D05B353DB9805D1CAE0ED09D70trueMicrosoft WindowsValid 734700x800000000000000029792467Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:45:31.379{8B6011A9-88DB-6168-E279-00000000F101}5624C:\Windows\System32\setspn.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000029792466Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:45:31.379{8B6011A9-88DB-6168-E279-00000000F101}5624C:\Windows\System32\setspn.exeC:\Windows\System32\FWPUCLNT.DLL10.0.14393.0 (rs1_release.160715-1616)FWP/IPsec User-Mode APIMicrosoft® Windows® Operating SystemMicrosoft Corporationfwpuclnt.dllMD5=A65FA613342B08E0F760D8B13B9C135A,SHA256=C64A1EC862188D2EE1202DB02BFBF4E2DD56780905E509012799EB57FC9A88EDtrueMicrosoft WindowsValid 12241200x800000000000000029792464Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-14 19:45:31.358{8B6011A9-88DB-6168-E279-00000000F101}5624C:\Windows\system32\setspn.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000029792463Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-14 19:45:31.358{8B6011A9-88DB-6168-E279-00000000F101}5624C:\Windows\system32\setspn.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000029792462Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-14 19:45:31.358{8B6011A9-88DB-6168-E279-00000000F101}5624C:\Windows\system32\setspn.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 734700x800000000000000029792461Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:45:31.358{8B6011A9-88DB-6168-E279-00000000F101}5624C:\Windows\System32\setspn.exeC:\Windows\System32\rasadhlp.dll10.0.14393.0 (rs1_release.160715-1616)Remote Access AutoDial HelperMicrosoft® Windows® Operating SystemMicrosoft Corporationrasadhlp.dllMD5=FAE8D0480BDD905EEA453D3A57C8D5C6,SHA256=C1531223B8201B344A6A6474CB2D9B8A8C632250A3A6F472EC5E2D7D28ADD94CtrueMicrosoft WindowsValid 12241200x800000000000000029792460Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-14 19:45:31.357{8B6011A9-88DB-6168-E279-00000000F101}5624C:\Windows\system32\setspn.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000029792459Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-14 19:45:31.357{8B6011A9-88DB-6168-E279-00000000F101}5624C:\Windows\system32\setspn.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000029792458Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-14 19:45:31.357{8B6011A9-88DB-6168-E279-00000000F101}5624C:\Windows\system32\setspn.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000029792457Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-14 19:45:31.312{8B6011A9-88DB-6168-E279-00000000F101}5624C:\Windows\system32\setspn.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 734700x800000000000000029792456Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:45:31.311{8B6011A9-88DB-6168-E279-00000000F101}5624C:\Windows\System32\setspn.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x800000000000000029792455Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:45:31.311{8B6011A9-88DB-6168-E279-00000000F101}5624C:\Windows\System32\setspn.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 734700x800000000000000029792454Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:45:31.310{8B6011A9-88DB-6168-E279-00000000F101}5624C:\Windows\System32\setspn.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 10341000x800000000000000029792452Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:45:31.289{8B6011A9-886B-6164-0B00-00000000F101}6486532C:\Windows\system32\lsass.exe{8B6011A9-88DB-6168-E279-00000000F101}5624C:\Windows\system32\setspn.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029792451Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:45:31.289{8B6011A9-886B-6164-0B00-00000000F101}6486532C:\Windows\system32\lsass.exe{8B6011A9-88DB-6168-E279-00000000F101}5624C:\Windows\system32\setspn.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000029792450Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:45:31.289{8B6011A9-88DB-6168-E279-00000000F101}5624C:\Windows\System32\setspn.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x800000000000000029792449Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:45:31.287{8B6011A9-88DB-6168-E279-00000000F101}5624C:\Windows\System32\setspn.exeC:\Windows\System32\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=B52ACA309FD6F72105951FFBA022327B,SHA256=02AB6CCE4BF0D3F075D5E982F5A4CBDB514CE7C245EA474D7846A86CD3F13202trueMicrosoft WindowsValid 734700x800000000000000029792448Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:45:31.281{8B6011A9-88DB-6168-E279-00000000F101}5624C:\Windows\System32\setspn.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 734700x800000000000000029792447Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:45:31.280{8B6011A9-88DB-6168-E279-00000000F101}5624C:\Windows\System32\setspn.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000029792446Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:45:31.279{8B6011A9-88DB-6168-E279-00000000F101}5624C:\Windows\System32\setspn.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000029792445Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:45:31.279{8B6011A9-88DB-6168-E279-00000000F101}5624C:\Windows\System32\setspn.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000029792444Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:45:31.278{8B6011A9-88DB-6168-E279-00000000F101}5624C:\Windows\System32\setspn.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000029792443Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:45:31.276{8B6011A9-88DB-6168-E279-00000000F101}5624C:\Windows\System32\setspn.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000029792442Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:45:31.276{8B6011A9-88DB-6168-E279-00000000F101}5624C:\Windows\System32\setspn.exeC:\Windows\System32\logoncli.dll10.0.14393.3808 (rs1_release.200707-2105)Net Logon Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationLOGONCLI.DLLMD5=B5C16F0A457DB3C7695AAC9EE7E3EE1E,SHA256=88764349C57E619C6D1253BB2F4AFB27DBD141E9EB9C12D445C20F7384A4F437trueMicrosoft WindowsValid 734700x800000000000000029792441Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:45:31.276{8B6011A9-88DB-6168-E279-00000000F101}5624C:\Windows\System32\setspn.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000029792440Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:45:31.276{8B6011A9-88DB-6168-E279-00000000F101}5624C:\Windows\System32\setspn.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000029792439Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:45:31.275{8B6011A9-88DB-6168-E279-00000000F101}5624C:\Windows\System32\setspn.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000029792438Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:45:31.274{8B6011A9-88DB-6168-E279-00000000F101}5624C:\Windows\System32\setspn.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000029792437Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:45:31.274{8B6011A9-88DB-6168-E279-00000000F101}5624C:\Windows\System32\setspn.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000029792436Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:45:31.273{8B6011A9-88DB-6168-E279-00000000F101}5624C:\Windows\System32\setspn.exeC:\Windows\System32\ntdsapi.dll10.0.14393.0 (rs1_release.160715-1616)Active Directory Domain Services APIMicrosoft® Windows® Operating SystemMicrosoft Corporationntdsapi.dllMD5=01AD803D409DC3C6582A9C519EB4B014,SHA256=C5A0873EC1223A67CE5980BB62F176FDF2E61BB54081CE004F479629413F27AAtrueMicrosoft WindowsValid 734700x800000000000000029792435Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:45:31.272{8B6011A9-88DB-6168-E279-00000000F101}5624C:\Windows\System32\setspn.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CAtrueMicrosoft WindowsValid 734700x800000000000000029792434Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:45:31.272{8B6011A9-88DB-6168-E279-00000000F101}5624C:\Windows\System32\setspn.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000029792433Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:45:31.272{8B6011A9-88DB-6168-E279-00000000F101}5624C:\Windows\System32\setspn.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x800000000000000029792432Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:45:31.271{8B6011A9-88DB-6168-E279-00000000F101}5624C:\Windows\System32\setspn.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 10341000x800000000000000029792431Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:45:31.270{8B6011A9-804E-6168-D778-00000000F101}47481992C:\Windows\system32\conhost.exe{8B6011A9-88DB-6168-E279-00000000F101}5624C:\Windows\system32\setspn.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000029792430Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:45:31.269{8B6011A9-88DB-6168-E279-00000000F101}5624C:\Windows\System32\setspn.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000029792429Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:45:31.269{8B6011A9-88DB-6168-E279-00000000F101}5624C:\Windows\System32\setspn.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000029792428Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:45:31.268{8B6011A9-88DB-6168-E279-00000000F101}5624C:\Windows\System32\setspn.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000029792427Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:45:31.267{8B6011A9-88DB-6168-E279-00000000F101}5624C:\Windows\System32\setspn.exeC:\Windows\System32\setspn.exe10.0.14393.0 (rs1_release.160715-1616)Query or reset the computer's SPN attributeMicrosoft® Windows® Operating SystemMicrosoft Corporationsetspn.exeMD5=5C184D581524245DAD7A0A02B51FD2C2,SHA256=909C2DDF06CFEB1F79004DBB5E9B9D36B693CFDFF3459E0A6A51616B2AD6D2D1trueMicrosoft WindowsValid 10341000x800000000000000029792426Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:45:31.265{8B6011A9-888A-6164-7000-00000000F101}34483876C:\Windows\system32\csrss.exe{8B6011A9-88DB-6168-E279-00000000F101}5624C:\Windows\system32\setspn.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000029792425Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:45:31.264{8B6011A9-804E-6168-D678-00000000F101}54924312C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{8B6011A9-88DB-6168-E279-00000000F101}5624C:\Windows\system32\setspn.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4ce006b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+41634c4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+41630ff(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4c2b42d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4120071(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4183ae3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4165af2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4165af2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4165983(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+41566a3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4163be5(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4163757(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+41634c4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+41630ff(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4c2b42d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+41483aa(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+414791c(wow64) 154100x800000000000000029792424Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:45:31.264{8B6011A9-88DB-6168-E279-00000000F101}5624C:\Windows\System32\setspn.exe10.0.14393.0 (rs1_release.160715-1616)Query or reset the computer's SPN attributeMicrosoft® Windows® Operating SystemMicrosoft Corporationsetspn.exe"C:\Windows\system32\setspn.exe" -T global.mydomain.local -F -Q MSSQLSvc/*C:\Users\Administrator\ATTACKRANGE\Administrator{8B6011A9-8897-6164-CBF3-050000000000}0x5f3cb2HighMD5=5C184D581524245DAD7A0A02B51FD2C2,SHA256=909C2DDF06CFEB1F79004DBB5E9B9D36B693CFDFF3459E0A6A51616B2AD6D2D1{8B6011A9-804E-6168-D678-00000000F101}5492C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 534500x800000000000000029792930Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:45:44.105{8B6011A9-88E8-6168-E979-00000000F101}4948C:\Windows\System32\setspn.exe 734700x800000000000000029792926Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:45:44.089{8B6011A9-88E8-6168-E979-00000000F101}4948C:\Windows\System32\setspn.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AAtrueMicrosoft WindowsValid 734700x800000000000000029792925Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:45:44.088{8B6011A9-88E8-6168-E979-00000000F101}4948C:\Windows\System32\setspn.exeC:\Windows\System32\NtlmShared.dll10.0.14393.3269 (rs1_release.190929-1234)NTLM Shared FunctionalityMicrosoft® Windows® Operating SystemMicrosoft CorporationNtlmShared.dllMD5=99F4D90B3ED53855C06F856006E770D1,SHA256=A95E5823B68182C4E32CB783AD23BC4FF60690001C70E6B5E920C12740C4C37CtrueMicrosoft WindowsValid 734700x800000000000000029792924Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:45:44.088{8B6011A9-88E8-6168-E979-00000000F101}4948C:\Windows\System32\setspn.exeC:\Windows\System32\msv1_0.dll10.0.14393.3866 (rs1_release.200805-1327)Microsoft Authentication Package v1.0Microsoft® Windows® Operating SystemMicrosoft CorporationMSV1_0.DLLMD5=2A725546D9B1F9DB4974A2EA4225D0A8,SHA256=46AD1AC8C7DB7D21E8F41EFC734B855CEE566CB58F8FB825775490DC5DE89C94trueMicrosoft WindowsValid 734700x800000000000000029792923Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:45:44.085{8B6011A9-88E8-6168-E979-00000000F101}4948C:\Windows\System32\setspn.exeC:\Windows\System32\dsparse.dll10.0.14393.0 (rs1_release.160715-1616)Active Directory Domain Services APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdsparse.dllMD5=E9B5EFC173FDD55C00B2F28B8BAC144B,SHA256=0CA602484CD0E2C67091FCD60091608BF746B1D05B353DB9805D1CAE0ED09D70trueMicrosoft WindowsValid 734700x800000000000000029792922Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:45:44.082{8B6011A9-88E8-6168-E979-00000000F101}4948C:\Windows\System32\setspn.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000029792921Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:45:44.081{8B6011A9-88E8-6168-E979-00000000F101}4948C:\Windows\System32\setspn.exeC:\Windows\System32\FWPUCLNT.DLL10.0.14393.0 (rs1_release.160715-1616)FWP/IPsec User-Mode APIMicrosoft® Windows® Operating SystemMicrosoft Corporationfwpuclnt.dllMD5=A65FA613342B08E0F760D8B13B9C135A,SHA256=C64A1EC862188D2EE1202DB02BFBF4E2DD56780905E509012799EB57FC9A88EDtrueMicrosoft WindowsValid 12241200x800000000000000029792920Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-14 19:45:44.080{8B6011A9-88E8-6168-E979-00000000F101}4948C:\Windows\system32\setspn.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000029792919Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-14 19:45:44.080{8B6011A9-88E8-6168-E979-00000000F101}4948C:\Windows\system32\setspn.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000029792918Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-14 19:45:44.080{8B6011A9-88E8-6168-E979-00000000F101}4948C:\Windows\system32\setspn.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 734700x800000000000000029792917Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:45:44.080{8B6011A9-88E8-6168-E979-00000000F101}4948C:\Windows\System32\setspn.exeC:\Windows\System32\rasadhlp.dll10.0.14393.0 (rs1_release.160715-1616)Remote Access AutoDial HelperMicrosoft® Windows® Operating SystemMicrosoft Corporationrasadhlp.dllMD5=FAE8D0480BDD905EEA453D3A57C8D5C6,SHA256=C1531223B8201B344A6A6474CB2D9B8A8C632250A3A6F472EC5E2D7D28ADD94CtrueMicrosoft WindowsValid 12241200x800000000000000029792916Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-14 19:45:44.079{8B6011A9-88E8-6168-E979-00000000F101}4948C:\Windows\system32\setspn.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000029792915Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-14 19:45:44.079{8B6011A9-88E8-6168-E979-00000000F101}4948C:\Windows\system32\setspn.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000029792914Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-14 19:45:44.079{8B6011A9-88E8-6168-E979-00000000F101}4948C:\Windows\system32\setspn.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 734700x800000000000000029792913Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:45:44.079{8B6011A9-88E8-6168-E979-00000000F101}4948C:\Windows\System32\setspn.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x800000000000000029792912Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:45:44.078{8B6011A9-88E8-6168-E979-00000000F101}4948C:\Windows\System32\setspn.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 734700x800000000000000029792911Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:45:44.077{8B6011A9-88E8-6168-E979-00000000F101}4948C:\Windows\System32\setspn.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 10341000x800000000000000029792909Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:45:44.074{8B6011A9-886B-6164-0B00-00000000F101}6487136C:\Windows\system32\lsass.exe{8B6011A9-88E8-6168-E979-00000000F101}4948C:\Windows\system32\setspn.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029792908Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:45:44.074{8B6011A9-886B-6164-0B00-00000000F101}6487136C:\Windows\system32\lsass.exe{8B6011A9-88E8-6168-E979-00000000F101}4948C:\Windows\system32\setspn.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000029792907Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:45:44.073{8B6011A9-88E8-6168-E979-00000000F101}4948C:\Windows\System32\setspn.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x800000000000000029792906Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:45:44.072{8B6011A9-88E8-6168-E979-00000000F101}4948C:\Windows\System32\setspn.exeC:\Windows\System32\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=B52ACA309FD6F72105951FFBA022327B,SHA256=02AB6CCE4BF0D3F075D5E982F5A4CBDB514CE7C245EA474D7846A86CD3F13202trueMicrosoft WindowsValid 734700x800000000000000029792905Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:45:44.068{8B6011A9-88E8-6168-E979-00000000F101}4948C:\Windows\System32\setspn.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 734700x800000000000000029792904Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:45:44.066{8B6011A9-88E8-6168-E979-00000000F101}4948C:\Windows\System32\setspn.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000029792903Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:45:44.065{8B6011A9-88E8-6168-E979-00000000F101}4948C:\Windows\System32\setspn.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000029792902Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:45:44.065{8B6011A9-88E8-6168-E979-00000000F101}4948C:\Windows\System32\setspn.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000029792901Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:45:44.065{8B6011A9-88E8-6168-E979-00000000F101}4948C:\Windows\System32\setspn.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000029792900Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:45:44.064{8B6011A9-88E8-6168-E979-00000000F101}4948C:\Windows\System32\setspn.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000029792899Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:45:44.064{8B6011A9-88E8-6168-E979-00000000F101}4948C:\Windows\System32\setspn.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000029792898Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:45:44.064{8B6011A9-88E8-6168-E979-00000000F101}4948C:\Windows\System32\setspn.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000029792897Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:45:44.064{8B6011A9-88E8-6168-E979-00000000F101}4948C:\Windows\System32\setspn.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000029792896Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:45:44.063{8B6011A9-88E8-6168-E979-00000000F101}4948C:\Windows\System32\setspn.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000029792895Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:45:44.063{8B6011A9-88E8-6168-E979-00000000F101}4948C:\Windows\System32\setspn.exeC:\Windows\System32\logoncli.dll10.0.14393.3808 (rs1_release.200707-2105)Net Logon Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationLOGONCLI.DLLMD5=B5C16F0A457DB3C7695AAC9EE7E3EE1E,SHA256=88764349C57E619C6D1253BB2F4AFB27DBD141E9EB9C12D445C20F7384A4F437trueMicrosoft WindowsValid 734700x800000000000000029792894Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:45:44.063{8B6011A9-88E8-6168-E979-00000000F101}4948C:\Windows\System32\setspn.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000029792893Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:45:44.063{8B6011A9-88E8-6168-E979-00000000F101}4948C:\Windows\System32\setspn.exeC:\Windows\System32\ntdsapi.dll10.0.14393.0 (rs1_release.160715-1616)Active Directory Domain Services APIMicrosoft® Windows® Operating SystemMicrosoft Corporationntdsapi.dllMD5=01AD803D409DC3C6582A9C519EB4B014,SHA256=C5A0873EC1223A67CE5980BB62F176FDF2E61BB54081CE004F479629413F27AAtrueMicrosoft WindowsValid 734700x800000000000000029792892Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:45:44.062{8B6011A9-88E8-6168-E979-00000000F101}4948C:\Windows\System32\setspn.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CAtrueMicrosoft WindowsValid 734700x800000000000000029792891Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:45:44.061{8B6011A9-88E8-6168-E979-00000000F101}4948C:\Windows\System32\setspn.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000029792890Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:45:44.061{8B6011A9-88E8-6168-E979-00000000F101}4948C:\Windows\System32\setspn.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x800000000000000029792889Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:45:44.060{8B6011A9-88E8-6168-E979-00000000F101}4948C:\Windows\System32\setspn.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 10341000x800000000000000029792888Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:45:44.059{8B6011A9-804E-6168-D778-00000000F101}47481992C:\Windows\system32\conhost.exe{8B6011A9-88E8-6168-E979-00000000F101}4948C:\Windows\system32\setspn.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000029792887Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:45:44.058{8B6011A9-88E8-6168-E979-00000000F101}4948C:\Windows\System32\setspn.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000029792886Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:45:44.058{8B6011A9-88E8-6168-E979-00000000F101}4948C:\Windows\System32\setspn.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000029792885Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:45:44.057{8B6011A9-88E8-6168-E979-00000000F101}4948C:\Windows\System32\setspn.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000029792884Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:45:44.056{8B6011A9-88E8-6168-E979-00000000F101}4948C:\Windows\System32\setspn.exeC:\Windows\System32\setspn.exe10.0.14393.0 (rs1_release.160715-1616)Query or reset the computer's SPN attributeMicrosoft® Windows® Operating SystemMicrosoft Corporationsetspn.exeMD5=5C184D581524245DAD7A0A02B51FD2C2,SHA256=909C2DDF06CFEB1F79004DBB5E9B9D36B693CFDFF3459E0A6A51616B2AD6D2D1trueMicrosoft WindowsValid 10341000x800000000000000029792883Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:45:44.053{8B6011A9-888A-6164-7000-00000000F101}34483876C:\Windows\system32\csrss.exe{8B6011A9-88E8-6168-E979-00000000F101}4948C:\Windows\system32\setspn.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000029792882Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:45:44.052{8B6011A9-804E-6168-D678-00000000F101}54924312C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{8B6011A9-88E8-6168-E979-00000000F101}4948C:\Windows\system32\setspn.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4ce006b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+41634c4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+41630ff(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4c2b42d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4120071(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4183ae3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4165af2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4165af2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4165983(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+41566a3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4163be5(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4163757(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+41634c4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+41630ff(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4c2b42d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+41483aa(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+414791c(wow64) 154100x800000000000000029792881Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 19:45:44.051{8B6011A9-88E8-6168-E979-00000000F101}4948C:\Windows\System32\setspn.exe10.0.14393.0 (rs1_release.160715-1616)Query or reset the computer's SPN attributeMicrosoft® Windows® Operating SystemMicrosoft Corporationsetspn.exe"C:\Windows\system32\setspn.exe" -T attackrange.local -F -Q MSSQLSvc/*C:\Users\Administrator\ATTACKRANGE\Administrator{8B6011A9-8897-6164-CBF3-050000000000}0x5f3cb2HighMD5=5C184D581524245DAD7A0A02B51FD2C2,SHA256=909C2DDF06CFEB1F79004DBB5E9B9D36B693CFDFF3459E0A6A51616B2AD6D2D1{8B6011A9-804E-6168-D678-00000000F101}5492C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 534500x800000000000000029819512Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 20:25:56.503{8B6011A9-9254-6168-057B-00000000F101}4280C:\Windows\System32\setspn.exe 734700x800000000000000029819494Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 20:25:56.488{8B6011A9-9254-6168-057B-00000000F101}4280C:\Windows\System32\setspn.exeC:\Windows\System32\ntdsapi.dll10.0.14393.0 (rs1_release.160715-1616)Active Directory Domain Services APIMicrosoft® Windows® Operating SystemMicrosoft Corporationntdsapi.dllMD5=01AD803D409DC3C6582A9C519EB4B014,SHA256=C5A0873EC1223A67CE5980BB62F176FDF2E61BB54081CE004F479629413F27AAtrueMicrosoft WindowsValid 734700x800000000000000029819486Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 20:25:56.494{8B6011A9-9254-6168-057B-00000000F101}4280C:\Windows\System32\setspn.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 734700x800000000000000029819484Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 20:25:56.491{8B6011A9-9254-6168-057B-00000000F101}4280C:\Windows\System32\setspn.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000029819483Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 20:25:56.491{8B6011A9-9254-6168-057B-00000000F101}4280C:\Windows\System32\setspn.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000029819481Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 20:25:56.490{8B6011A9-9254-6168-057B-00000000F101}4280C:\Windows\System32\setspn.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000029819480Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 20:25:56.489{8B6011A9-9254-6168-057B-00000000F101}4280C:\Windows\System32\setspn.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000029819479Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 20:25:56.489{8B6011A9-9254-6168-057B-00000000F101}4280C:\Windows\System32\setspn.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000029819477Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 20:25:56.489{8B6011A9-9254-6168-057B-00000000F101}4280C:\Windows\System32\setspn.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000029819476Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 20:25:56.489{8B6011A9-9254-6168-057B-00000000F101}4280C:\Windows\System32\setspn.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000029819475Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 20:25:56.488{8B6011A9-9254-6168-057B-00000000F101}4280C:\Windows\System32\setspn.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000029819474Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 20:25:56.488{8B6011A9-9254-6168-057B-00000000F101}4280C:\Windows\System32\setspn.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000029819473Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 20:25:56.488{8B6011A9-9254-6168-057B-00000000F101}4280C:\Windows\System32\setspn.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000029819472Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 20:25:56.488{8B6011A9-9254-6168-057B-00000000F101}4280C:\Windows\System32\setspn.exeC:\Windows\System32\logoncli.dll10.0.14393.3808 (rs1_release.200707-2105)Net Logon Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationLOGONCLI.DLLMD5=B5C16F0A457DB3C7695AAC9EE7E3EE1E,SHA256=88764349C57E619C6D1253BB2F4AFB27DBD141E9EB9C12D445C20F7384A4F437trueMicrosoft WindowsValid 734700x800000000000000029819471Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 20:25:56.487{8B6011A9-9254-6168-057B-00000000F101}4280C:\Windows\System32\setspn.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CAtrueMicrosoft WindowsValid 734700x800000000000000029819470Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 20:25:56.487{8B6011A9-9254-6168-057B-00000000F101}4280C:\Windows\System32\setspn.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000029819469Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 20:25:56.487{8B6011A9-9254-6168-057B-00000000F101}4280C:\Windows\System32\setspn.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x800000000000000029819468Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 20:25:56.486{8B6011A9-9254-6168-057B-00000000F101}4280C:\Windows\System32\setspn.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 10341000x800000000000000029819467Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 20:25:56.486{8B6011A9-804E-6168-D778-00000000F101}47481992C:\Windows\system32\conhost.exe{8B6011A9-9254-6168-057B-00000000F101}4280C:\Windows\system32\setspn.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000029819466Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 20:25:56.485{8B6011A9-9254-6168-057B-00000000F101}4280C:\Windows\System32\setspn.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000029819465Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 20:25:56.485{8B6011A9-9254-6168-057B-00000000F101}4280C:\Windows\System32\setspn.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000029819464Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 20:25:56.484{8B6011A9-9254-6168-057B-00000000F101}4280C:\Windows\System32\setspn.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000029819463Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 20:25:56.483{8B6011A9-9254-6168-057B-00000000F101}4280C:\Windows\System32\setspn.exeC:\Windows\System32\setspn.exe10.0.14393.0 (rs1_release.160715-1616)Query or reset the computer's SPN attributeMicrosoft® Windows® Operating SystemMicrosoft Corporationsetspn.exeMD5=5C184D581524245DAD7A0A02B51FD2C2,SHA256=909C2DDF06CFEB1F79004DBB5E9B9D36B693CFDFF3459E0A6A51616B2AD6D2D1trueMicrosoft WindowsValid 10341000x800000000000000029819462Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 20:25:56.483{8B6011A9-888A-6164-7000-00000000F101}34483876C:\Windows\system32\csrss.exe{8B6011A9-9254-6168-057B-00000000F101}4280C:\Windows\system32\setspn.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000029819461Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 20:25:56.482{8B6011A9-804E-6168-D678-00000000F101}54924312C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{8B6011A9-9254-6168-057B-00000000F101}4280C:\Windows\system32\setspn.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4ce006b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+41634c4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+41630ff(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4c2b42d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4120071(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4183ae3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4165af2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4165af2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4165983(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+41566a3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4163be5(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4163757(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+41634c4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+41630ff(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4c2b42d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+41483aa(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+414791c(wow64) 154100x800000000000000029819460Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-14 20:25:56.482{8B6011A9-9254-6168-057B-00000000F101}4280C:\Windows\System32\setspn.exe10.0.14393.0 (rs1_release.160715-1616)Query or reset the computer's SPN attributeMicrosoft® Windows® Operating SystemMicrosoft Corporationsetspn.exe"C:\Windows\system32\setspn.exe"C:\Users\Administrator\ATTACKRANGE\Administrator{8B6011A9-8897-6164-CBF3-050000000000}0x5f3cb2HighMD5=5C184D581524245DAD7A0A02B51FD2C2,SHA256=909C2DDF06CFEB1F79004DBB5E9B9D36B693CFDFF3459E0A6A51616B2AD6D2D1{8B6011A9-804E-6168-D678-00000000F101}5492C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 734700x80000000000000008017198Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-10-14 21:32:19.810{AD5E2759-A1E3-6168-5461-04000000F101}1100C:\Windows\System32\setspn.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 10341000x80000000000000008017197Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-10-14 21:32:19.685{AD5E2759-5432-6143-0B00-00000000F101}6283524C:\Windows\system32\lsass.exe{AD5E2759-A1E3-6168-5461-04000000F101}1100C:\Windows\system32\setspn.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008017196Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-10-14 21:32:19.685{AD5E2759-5432-6143-0B00-00000000F101}6283524C:\Windows\system32\lsass.exe{AD5E2759-A1E3-6168-5461-04000000F101}1100C:\Windows\system32\setspn.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008017195Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-10-14 21:32:19.670{AD5E2759-A1BE-6168-4461-04000000F101}57005728C:\Windows\system32\conhost.exe{AD5E2759-A1E3-6168-5461-04000000F101}1100C:\Windows\system32\setspn.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008017192Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-10-14 21:32:19.670{AD5E2759-A1AF-6168-1D61-04000000F101}21723308C:\Windows\system32\csrss.exe{AD5E2759-A1E3-6168-5461-04000000F101}1100C:\Windows\system32\setspn.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000008017189Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-10-14 21:32:19.670{AD5E2759-A1BE-6168-4361-04000000F101}56885856C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{AD5E2759-A1E3-6168-5461-04000000F101}1100C:\Windows\system32\setspn.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+de4d0027(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+dd953480(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+dd9530bb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+de41b3e9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+dd91002d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+dd973a9f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+dd955aae(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+dd955aae(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+dd95593f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+dd94665f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+dd953ba1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+dd953713(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+dd953480(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+dd9530bb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+de41b3e9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+dd938366(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+dd9378d8(wow64) 154100x80000000000000008017188Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-10-14 21:32:19.670{AD5E2759-A1E3-6168-5461-04000000F101}1100C:\Windows\System32\setspn.exe10.0.14393.0 (rs1_release.160715-1616)Query or reset the computer's SPN attributeMicrosoft® Windows® Operating SystemMicrosoft Corporationsetspn.exe"C:\Windows\system32\setspn.exe" -T attackrange.local -Q */*C:\Users\Administrator\WIN-HOST-874\Administrator{AD5E2759-A1B1-6168-DD52-B32300000000}0x23b352dd2HighMD5=5C184D581524245DAD7A0A02B51FD2C2,SHA256=909C2DDF06CFEB1F79004DBB5E9B9D36B693CFDFF3459E0A6A51616B2AD6D2D1,IMPHASH=EE2A1EFE656353E15839359CEC611C50{AD5E2759-A1BE-6168-4361-04000000F101}5688C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 354300x80000000000000008017205Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-10-14 21:32:37.781{AD5E2759-A1E3-6168-5461-04000000F101}1100C:\Windows\System32\setspn.exeWIN-HOST-874\Administratortcptruefalse10.0.1.15win-host-874.attackrange.local61768-false10.0.1.14ip-10-0-1-14.us-west-2.compute.internal389ldap 354300x80000000000000008017204Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-10-14 21:32:37.753{AD5E2759-A1E3-6168-5461-04000000F101}1100C:\Windows\System32\setspn.exeWIN-HOST-874\Administratortcptruefalse10.0.1.15win-host-874.attackrange.local61767-false10.0.1.14ip-10-0-1-14.us-west-2.compute.internal389ldap 22542200x80000000000000008017209Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-10-14 21:32:37.769{AD5E2759-A1E3-6168-5461-04000000F101}1100win-dc-469.attackrange.local0::ffff:10.0.1.14;C:\Windows\System32\setspn.exe 734700x80000000000000008017311Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-10-14 21:32:43.417{AD5E2759-A1FB-6168-5661-04000000F101}3828C:\Windows\System32\setspn.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 10341000x80000000000000008017310Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-10-14 21:32:43.276{AD5E2759-5432-6143-0B00-00000000F101}6284676C:\Windows\system32\lsass.exe{AD5E2759-A1FB-6168-5661-04000000F101}3828C:\Windows\system32\setspn.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008017309Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-10-14 21:32:43.276{AD5E2759-5432-6143-0B00-00000000F101}6284676C:\Windows\system32\lsass.exe{AD5E2759-A1FB-6168-5661-04000000F101}3828C:\Windows\system32\setspn.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008017307Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-10-14 21:32:43.182{AD5E2759-A1BE-6168-4461-04000000F101}57005728C:\Windows\system32\conhost.exe{AD5E2759-A1FB-6168-5661-04000000F101}3828C:\Windows\system32\setspn.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008017302Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-10-14 21:32:43.167{AD5E2759-A1AF-6168-1D61-04000000F101}2172928C:\Windows\system32\csrss.exe{AD5E2759-A1FB-6168-5661-04000000F101}3828C:\Windows\system32\setspn.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000008017301Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-10-14 21:32:43.167{AD5E2759-A1BE-6168-4361-04000000F101}56885856C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{AD5E2759-A1FB-6168-5661-04000000F101}3828C:\Windows\system32\setspn.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+de4d0027(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+dd953480(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+dd9530bb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+de41b3e9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+dd91002d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+dd973a9f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+dd955aae(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+dd955aae(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+dd95593f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+dd94665f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+dd953ba1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+dd953713(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+dd953480(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+dd9530bb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+de41b3e9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+dd938366(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+dd9378d8(wow64) 154100x80000000000000008017300Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-10-14 21:32:43.176{AD5E2759-A1FB-6168-5661-04000000F101}3828C:\Windows\System32\setspn.exe10.0.14393.0 (rs1_release.160715-1616)Query or reset the computer's SPN attributeMicrosoft® Windows® Operating SystemMicrosoft Corporationsetspn.exe"C:\Windows\system32\setspn.exe" -T attackrange.local -F -Q MSSQLSvc/*C:\Users\Administrator\WIN-HOST-874\Administrator{AD5E2759-A1B1-6168-DD52-B32300000000}0x23b352dd2HighMD5=5C184D581524245DAD7A0A02B51FD2C2,SHA256=909C2DDF06CFEB1F79004DBB5E9B9D36B693CFDFF3459E0A6A51616B2AD6D2D1,IMPHASH=EE2A1EFE656353E15839359CEC611C50{AD5E2759-A1BE-6168-4361-04000000F101}5688C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 734700x80000000000000008017351Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-10-14 21:32:48.858{AD5E2759-A200-6168-5761-04000000F101}6008C:\Windows\System32\setspn.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 10341000x80000000000000008017350Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-10-14 21:32:48.841{AD5E2759-5432-6143-0B00-00000000F101}6283884C:\Windows\system32\lsass.exe{AD5E2759-A200-6168-5761-04000000F101}6008C:\Windows\system32\setspn.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008017349Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-10-14 21:32:48.841{AD5E2759-5432-6143-0B00-00000000F101}6283884C:\Windows\system32\lsass.exe{AD5E2759-A200-6168-5761-04000000F101}6008C:\Windows\system32\setspn.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008017348Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-10-14 21:32:48.826{AD5E2759-A1BE-6168-4461-04000000F101}57005728C:\Windows\system32\conhost.exe{AD5E2759-A200-6168-5761-04000000F101}6008C:\Windows\system32\setspn.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008017343Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-10-14 21:32:48.826{AD5E2759-A1AF-6168-1D61-04000000F101}2172928C:\Windows\system32\csrss.exe{AD5E2759-A200-6168-5761-04000000F101}6008C:\Windows\system32\setspn.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000008017342Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-10-14 21:32:48.826{AD5E2759-A1BE-6168-4361-04000000F101}56885856C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{AD5E2759-A200-6168-5761-04000000F101}6008C:\Windows\system32\setspn.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+de4d0027(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+dd953480(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+dd9530bb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+de41b3e9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+dd91002d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+dd973a9f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+dd955aae(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+dd955aae(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+dd95593f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+dd94665f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+dd953ba1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+dd953713(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+dd953480(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+dd9530bb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+de41b3e9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+dd938366(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+dd9378d8(wow64) 154100x80000000000000008017341Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-10-14 21:32:48.835{AD5E2759-A200-6168-5761-04000000F101}6008C:\Windows\System32\setspn.exe10.0.14393.0 (rs1_release.160715-1616)Query or reset the computer's SPN attributeMicrosoft® Windows® Operating SystemMicrosoft Corporationsetspn.exe"C:\Windows\system32\setspn.exe" -T attackrange.local -Q */*C:\Users\Administrator\WIN-HOST-874\Administrator{AD5E2759-A1B1-6168-DD52-B32300000000}0x23b352dd2HighMD5=5C184D581524245DAD7A0A02B51FD2C2,SHA256=909C2DDF06CFEB1F79004DBB5E9B9D36B693CFDFF3459E0A6A51616B2AD6D2D1,IMPHASH=EE2A1EFE656353E15839359CEC611C50{AD5E2759-A1BE-6168-4361-04000000F101}5688C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"