154100x800000000000000046931578Microsoft-Windows-Sysmon/Operationalmswin-dc01.attackrange.local-2023-03-29 21:00:18.990{2897A50F-A6E2-6424-0EB3-00000000C702}7028C:\Windows\System32\sc.exe10.0.14393.0 (rs1_release.160715-1616)Service Control Manager Configuration ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationsc.exe"C:\Windows\system32\sc.exe" \\mswin-server.attackrange.local create newsession_3842 binpath= "cmd.exe /k tscon 2 /dest:rdp-tcp#"C:\Users\Administrator\ATTACKRANGE\Administrator{2897A50F-6B1C-641C-7238-170000000000}0x1738722HighMD5=BD31EB150F6547D18329E5F00801D1CD,SHA256=8A775B86CE1A057E290CCD26C59C96070684468A3119790743A346CD54F4DFDF{2897A50F-9F4C-6424-76B2-00000000C702}3032C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe"C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe" ATTACKRANGE\Administrator
154100x800000000000000046918975Microsoft-Windows-Sysmon/Operationalmswin-dc01.attackrange.local-2023-03-29 20:51:45.391{2897A50F-A4E1-6424-E6B2-00000000C702}6248C:\Windows\System32\sc.exe10.0.14393.0 (rs1_release.160715-1616)Service Control Manager Configuration ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationsc.exe"C:\Windows\system32\sc.exe" \\mswin-server.attackrange.local create newsession_9915 binpath= "cmd.exe /k tscon 2 /dest:rdp-tcp#"C:\Users\Administrator\ATTACKRANGE\Administrator{2897A50F-6B1C-641C-7238-170000000000}0x1738722HighMD5=BD31EB150F6547D18329E5F00801D1CD,SHA256=8A775B86CE1A057E290CCD26C59C96070684468A3119790743A346CD54F4DFDF{2897A50F-9F4C-6424-76B2-00000000C702}3032C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe"C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe" ATTACKRANGE\Administrator
154100x800000000000000046904213Microsoft-Windows-Sysmon/Operationalmswin-dc01.attackrange.local-2023-03-29 20:41:51.572{2897A50F-A28F-6424-B9B2-00000000C702}3832C:\Windows\System32\sc.exe10.0.14393.0 (rs1_release.160715-1616)Service Control Manager Configuration ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationsc.exe"C:\Windows\system32\sc.exe" \\mswin-server.attackrange.local create bob binpath= "cmd.exe /k tscon 2 /dest:rdp-tcp#"C:\Users\Administrator\ATTACKRANGE\Administrator{2897A50F-6B1C-641C-7238-170000000000}0x1738722HighMD5=BD31EB150F6547D18329E5F00801D1CD,SHA256=8A775B86CE1A057E290CCD26C59C96070684468A3119790743A346CD54F4DFDF{2897A50F-9F4C-6424-76B2-00000000C702}3032C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe"C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe" ATTACKRANGE\Administrator
154100x800000000000000046903063Microsoft-Windows-Sysmon/Operationalmswin-dc01.attackrange.local-2023-03-29 20:41:11.330{2897A50F-A267-6424-B3B2-00000000C702}2316C:\Windows\System32\sc.exe10.0.14393.0 (rs1_release.160715-1616)Service Control Manager Configuration ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationsc.exe"C:\Windows\system32\sc.exe" \\mswin-server.attackrange.local create newsession binpath= "cmd.exe /k tscon 2 /dest:rdp-tcp#"C:\Users\Administrator\ATTACKRANGE\Administrator{2897A50F-6B1C-641C-7238-170000000000}0x1738722HighMD5=BD31EB150F6547D18329E5F00801D1CD,SHA256=8A775B86CE1A057E290CCD26C59C96070684468A3119790743A346CD54F4DFDF{2897A50F-9F4C-6424-76B2-00000000C702}3032C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe"C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe" ATTACKRANGE\Administrator
154100x800000000000000050324383Microsoft-Windows-Sysmon/Operationalmswin-server.attackrange.local-2023-03-29 20:35:16.398{EF490992-A104-6424-C9B4-00000000C802}7072C:\Windows\System32\sc.exe10.0.14393.0 (rs1_release.160715-1616)Service Control Manager Configuration ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationsc.exe"C:\Windows\system32\sc.exe" create newsession binpath= "cmd.exe /k tscon 2 /dest:rdp-tcp#"C:\Users\administrator.ATTACKRANGE\Documents\ATTACKRANGE\administrator{EF490992-A104-6424-BADB-831900000000}0x1983dbba0HighMD5=BD31EB150F6547D18329E5F00801D1CD,SHA256=8A775B86CE1A057E290CCD26C59C96070684468A3119790743A346CD54F4DFDF{EF490992-A104-6424-C8B4-00000000C802}6652C:\Windows\System32\wsmprovhost.exeC:\Windows\system32\wsmprovhost.exe -EmbeddingATTACKRANGE\administrator